From 186329a5cb27417ef9dbde55527fe29c57694407 Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Mon, 26 Dec 2016 17:37:50 +0800 Subject: [PATCH 001/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E4=B8=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对中 --- ... Silicon Valley shares her 'nerd' story.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md b/translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md index af282246db..4bb3b39ec3 100644 --- a/translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md +++ b/translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md @@ -1,35 +1,35 @@ -”硅谷的女儿“的天才故事 +“硅谷的女儿”的成才之路 ======================================================= ![](https://opensource.com/sites/default/files/styles/image-full-size/public/images/life/myopensourcestory.png?itok=6TXlAkFi) -在 2014 年,为了对网上一些关于女性在科技行业的缺失的评论作出回应,我的同事 [Crystal Beasley][1] 建立了一个能让在科技/信息安全方面工作的女性在网络上分享自己的“天才之路”。这篇文章就是我的故事。我把我的故事与你们分享是因为我相信榜样的力量,我也相信有一个人有很多的方式进入一个让自己满意的有挑战性的工作和一个实现了所有目标的人生。 +在 2014 年,为了对网上一些关于在科技行业女性稀缺的评论作出回应,我的同事 [Crystal Beasley][1] 倡议在科技/信息安全方面工作的女性在网络上分享自己的“成才之路”。这篇文章就是我的故事。我把我的故事与你们分享是因为我相信榜样的力量,也相信一个人有多种途径,选择一个让自己满意的有挑战性的工作,以及实现目标的人生。 ### 和电脑相伴的童年 -我,在其他的光环之下,是硅谷的女儿。我的故事不是一个观众变成舞台的主角的故事。也不是从小就为这份事业做贡献的故事。这个故事更多的是关于环境如何塑造你 — 通过它的那种已然存在的文化来改变你,如果你想要被改变的话。这不是从小就看是努力并为一个明确的目标而奋斗的故事,我知道这是关于特权的故事。 +我可以说是硅谷的女儿。我的故事不是一个从科技业余爱好转向专业的故事,也不是从小就专注于这份事业的故事。这个故事更多的是关于环境如何塑造你 — 通过它的那种已然存在的文化来改变你,如果你想要被改变的话。这不是从小就开始努力并为一个明确的目标而奋斗的故事,我意识到,这其实是享受了一些特权的成长故事。 -我出生在曼哈顿,但是我在新泽西州长大,因为我的爸爸作为一个退伍军人在那里的罗格斯大学攻读计算机科学的博士学位。当我四岁时,学校里有人问我我的爸爸干什么谋生时,我说,“他就是看电视和捕捉小虫子,但是我从没有见过那些小虫子”(译者注:小虫子,bug)。他在家里有一台哑终端,这大概与他在博尔特-贝拉尼克-纽曼公司的工作有关,他会通过早期的互联网来进行它在人工智能方面的工作。我就在旁边看着。 +我出生在曼哈顿,但是我在新泽西州长大,因为我的爸爸退伍后,在那里的罗格斯大学攻读计算机科学的博士学位。当我四岁时,学校里有人问我爸爸干什么谋生时,我说,“他就是看电视和捕捉小虫子,但是我从没有见过那些小虫子”(译者注:小虫子,bug)。他在家里有一台哑终端,这大概与他在 Bolt Beranek Newman 公司的工作有关,做关于早期互联网人工智能方面的工作。我就在旁边看着。 -我没能玩上父亲的会抓小虫子的电视,但是我很早就接触到了技术领域,我很珍惜这个礼物。提早的熏陶对于一个未来的天才是十分必要的 — 所以,请花时间和你的小孩谈谈他以后要做什么! +我没能玩上父亲的会抓小虫子的电视,但是我很早就接触到了技术领域,我很珍惜这个礼物。提早的熏陶对于一个未来的高手是十分必要的 — 所以,请花时间和你的小孩谈谈你所知道的你做的事情! ![](https://opensource.com/sites/default/files/resize/moss-520x433.png) ->我父亲的终端和这个很类似——如果不是这个的话 CC BY-SA 4.0 +*我父亲的终端和这个很类似 —— 如果不是这个的话 CC BY-SA 4.0* -当我六岁时,我们搬到了加州。父亲在施乐的研究中心找到了一个工作。我记得那时我认为这个城市一定有很多熊,因为在它的旗帜上都有一个熊。在1979年,帕洛阿尔托还是一个大学城,还有果园和开阔地带。 +当我六岁时,我们搬到了加州。父亲在施乐的研究中心找到了一个工作。我记得那时我认为这个城市一定有很多熊,因为在它的旗帜上有一个熊。在1979年,Palo Alto 还是一个大学城,还有果园和开阔地带。 -在帕洛阿尔托的公立学校待了一年之后,我的姐姐和我被送到了“半岛学校”,这个“模范学校”对我造成了深刻的影响。在那里,好奇心和创新意识是被推崇的,教育也是有学生自己决定的。我们很少在学校看到能叫做电脑的东西,但是在家就不同了。 +在 Palo Alto 的公立学校待了一年之后,我的姐姐和我被送到了“半岛学校”,这个“民主模范”学校对我造成了深刻的影响。在那里,好奇心和创新意识是被高度推崇的,教育也是由学生自己分组讨论决定的。在学校,我们很少能看到叫做电脑的东西,但是在家就不同了。 -在父亲从施乐辞职之后,他就去了苹果,在那里他帮助研发——以及带回家让我玩的第一批电脑就是:Apple II 和 LISA。我的父亲在原先的 LISA 的研发团队。我直到现在还深刻的记得他让我们一次又一次的“玩鼠标”场景,因为他想让我的 3 岁大的妹妹对这个东西感到舒服——她也确实那样。 +在父亲从施乐辞职之后,他就去了 Apple 公司,在那里他工作使用并带回家让我玩的第一批电脑就是:Apple II 和 LISA。我的父亲在最初的 LISA 的研发团队。我直到现在还深刻的记得他让我们一次又一次的“玩鼠标”的场景,因为他想让我的 3 岁大的妹妹对这个东西感到舒服 —— 她也确实那样。 ![](https://opensource.com/sites/default/files/resize/600px-apple_lisa-520x520.jpg) ->我们的 LISA 看起来就像这样,看到鼠标了吗?CC BY-SA 4.0 +*我们的 LISA 看起来就像这样,看到鼠标了吗?CC BY-SA 4.0* -在学校,我的数学的概念学得不错,但是基本计算却惨不忍睹。我的第一个学校的老师告诉我的家长,还有我,说我的数学很差以及我很“笨”。虽然我在“常规的”数学项目中表现出色,能理解一个 7 岁的孩子能理解的逻辑谜题,但是我不能完成我们每天早上都要做的“练习”。她说我傻,这事我不会忘记。在那之后的十年我都没能相信自己的逻辑能力和算法的水平。不要 低估你给孩子的说的话的力量。 +在学校,我的数学的概念学得不错,但是基本计算却惨不忍睹。我的第一个学校的老师告诉我的家长和我,说我的数学很差,还说我很“笨”。虽然我在“常规的”数学项目中表现出色,能理解一个 7 岁的孩子能理解的逻辑谜题,但是我不能完成我们每天早上都要做的“练习”。她说我傻,这事我不会忘记。在那之后的十年我都没能相信自己的逻辑能力和算法的水平。**不要低估你对孩子说的话的影响**。 -在我玩了几年爸爸的电脑之后,他从苹果跳到了 EA 又跳到了 SGI,我又体验了他带回来的新玩意。这让我们认为我们家的房子是镇里最酷的,因为我们在车库里有一个能玩 Doom 的 SGI 的机器。我不会太多的编程,但是现在我发现,在那些年里我对尝试新的科技不再恐惧。同时,我的学文学和教育的母亲,成为了一个科技行业的作家,她向我证实了一个人的职业可以改变以及科技行业的人也可以做母亲。我不是说这对她来说很简单,但是她让我认为这件是看起来很简单。你可能回想这些早期的熏陶能把我带到科技行业,但是它没有。 +在我玩了几年爸爸的电脑之后,他从 Apple 公司跳槽到了 EA,又跳到了 SGI,我又体验了他带回来的新玩意。这让我们认为我们家的房子是镇里最酷的,因为我们在车库里有一个能玩 Doom 的 SGI 的机器。我不会太多的编程,但是现在看来,从那些年里我学到对尝试新的科技毫不恐惧。同时,我的学文学和教育的母亲,成为了一个科技行业的作家,她向我证实了一个人的职业可以改变,而且一个做母亲的人可能同时驾驭一个科技职位。我不是说这对她来说很简单,但是她让我认为这件事看起来很简单。你可能会想这些早期的熏陶能把我带到科技行业,但是它没有。 ### 本科时光 From 630525b637c9f3e8be4d48f4ca0e9657ea584277 Mon Sep 17 00:00:00 2001 From: wxy Date: Mon, 26 Dec 2016 17:47:28 +0800 Subject: [PATCH 002/181] =?UTF-8?q?PROOF:20161121=20Create=20an=20Active?= =?UTF-8?q?=20Directory=20Infrastructure=20with=20Samba4=20on=20Ubuntu=20?= =?UTF-8?q?=E2=80=93=20Part=201?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @rusking --- ...tructure with Samba4 on Ubuntu – Part 1.md | 132 +++++++++--------- 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/translated/tech/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md b/translated/tech/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md index 4b30913404..e221170a57 100644 --- a/translated/tech/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md +++ b/translated/tech/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md @@ -1,36 +1,35 @@ -Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1 +在 Ubuntu 系统上使用 Samba4 来创建活动目录架构(一) ============================================================ -在 Ubuntu 系统上使用 Samba4 软件来创建活动目录架构 —— 第一节 -Samba 是一个免费的开源软件套件,用于实现 Windows 主机与 Linux/Unix 服务器之间的无缝连接及共享资源。 +Samba 是一个自由的开源软件套件,用于实现 Windows 操作系统与 Linux/Unix 系统之间的无缝连接及共享资源。 -Samba 不仅可以通过 SMB/CIFS 协议组件来为 Windows 与 Linux 系统之间提供独立的文件及打印机共享服务,它还能实现活动目录域控制器的功能,或者让 Linux 主机加入到域环境中作为域成员服务器。当前的 Samba4 版本实现的 AD DC 域及林功能级别可以取代 Windows 2008 R2 系统的域相关功能。 +Samba 不仅可以通过 SMB/CIFS 协议组件来为 Windows 与 Linux 系统之间提供独立的文件及打印机共享服务,它还能实现活动目录(Active Directory)域控制器(Domain Controller)的功能,或者让 Linux 主机加入到域环境中作为域成员服务器。当前的 Samba4 版本实现的 AD DC 域及森林级别可以取代 Windows 2008 R2 系统的域相关功能。 -该序列的文章的主要内容是使用 Samba4 软件来配置活动目录域控制器,包括与 Ubuntu,CentOS 和 Windows 系统相关的以下主题: +本系列的文章的主要内容是使用 Samba4 软件来配置活动目录域控制器,涉及到 Ubuntu、CentOS 和 Windows 系统相关的以下主题: -第 1 节:在 Ubuntu 系统上使用 Samba4 软件来创建活动目录架构 -第 2 节:[在 Linux 命令行下管理 Samba4 AD 架构][4] -第 3 节:在 Windows 10 操作系统上安装 RSAT 工具来管理 Samba4 AD -第 4 节:使用 Sysvol Replication 复制功能把 Samba 4 DC 加入到已有的 AD -第 5 节:从 Linux DC 服务器通过GOP来添加一个共享磁盘并映射到 AD -第 6 节:把 Ubuntu 16.04 系统主机作为域成员服务器添加到 AD -第 7 节:把 CenterOS 7 系统主机作为域成员服务器添加到 AD -第 8 节:在 AD Intranet 区域创建使用kerberos认证的 Apache Website +- 第 1 节:在 Ubuntu 系统上使用 Samba4 来创建活动目录架构 +- 第 2 节:在 Linux 命令行下管理 Samba4 AD 架构 +- 第 3 节:在 Windows 10 操作系统上安装 RSAT 工具来管理 Samba4 AD +- 第 4 节:从 Windows 中管理 Samba4 AD 域控制器 DNS 和组策略 +- 第 5 节:使用 Sysvol Replication 复制功能把 Samba 4 DC 加入到已有的 AD +- 第 6 节:从 Linux DC 服务器通过 GOP 来添加一个共享磁盘并映射到 AD +- 第 7 节:把 Ubuntu 16.04 系统主机作为域成员服务器添加到 AD +- 第 8 节:把 CenterOS 7 系统主机作为域成员服务器添加到 AD +- 第 9 节:在 AD Intranet 区域创建使用 kerberos 认证的 Apache Website -该向导将阐明在 Ubuntu 16.04 和 Ubuntu 14.04 操作系统上安装配置 Samba4 作为域控服务器组件的过程中,你需要注意的每一个步骤。 +这篇指南将阐明在 Ubuntu 16.04 和 Ubuntu 14.04 操作系统上安装配置 Samba4 作为域控服务器组件的过程中,你需要注意的每一个步骤。 -This configuration will provide a central management point for users, machines, volume shares, permissions and other resources in a mixed-up Windows – Linux infrastructure. -以下安装配置文档将会说明在 Windows 和 Linux 的混合系统环境中,关于用户,机器,共享磁盘,权限及其它资源信息的主要配置点。 +以下安装配置文档将会说明在 Windows 和 Linux 的混合系统环境中,关于用户、机器、共享卷、权限及其它资源信息的主要配置点。 #### 环境要求: -1. [Ubuntu 16.04 服务器安装Server Installation][1]. -2. [Ubuntu 14.04 服务器安装Server Installation][2]. +1. [Ubuntu 16.04 服务器安装][1] +2. [Ubuntu 14.04 服务器安装][2] 3. 为你的 AD DC 服务器[设置静态IP地址][3] -### Step 1: 初始化 Samba4 安装环境 +### 第一步:初始化 Samba4 安装环境 -1. 在开始安装 Samba4 AD DC 之前,咱们先运行一些先决条件的检查步骤。首先运行以下命令来确保系统已更新了最新的安全特性,内核及其它补丁: +1、 在开始安装 Samba4 AD DC 之前,让我们先做一些准备工作。首先运行以下命令来确保系统已更新了最新的安全特性,内核及其它补丁: ``` $ sudo apt-get update @@ -38,17 +37,17 @@ $ sudo apt-get upgrade $ sudo apt-get dist-upgrade ``` -2. 其次,打开服务器上的 /etc/fstab 文件,确保文件系统分区的 ACL 已经设置为 enabled ,如下图所示。 +2、 其次,打开服务器上的 `/etc/fstab` 文件,确保文件系统分区的 ACL 已经启用 ,如下图所示。 -通常情况下,当前常见的 Linux 文件系统,比如 ext3,ext4,xfs 或 btrfs 都默认支持并已经设置 ACL 为enabled 。如果未设置,则打开并编辑 /etc/fstab 文件,在第三列添加 'acl',然后重启系统以使用修改的配置生效。 +通常情况下,当前常见的 Linux 文件系统,比如 ext3、ext4、xfs 或 btrfs 都默认支持并已经启用了 ACL 。如果未设置,则打开并编辑 `/etc/fstab` 文件,在第三列添加 `acl`,然后重启系统以使用修改的配置生效。 [ ![Enable ACL's on Linux Filesystem](http://www.tecmint.com/wp-content/uploads/2016/11/Enable-ACL-on-Linux-Filesystem.png) ][5] -启动 Linux 文件系统的 ACL 功能 +*启动 Linux 文件系统的 ACL 功能* -3. 最后使用一个具有描述性的名称来[设置主机名][6] ,比如这往篇文章所使用的 ‘adc1'。通过编辑 /etc/hostname 文件或使用使用下图所示的命令来设置主机名。 +3、 最后使用一个具有描述性的名称来[设置主机名][6] ,比如这往篇文章所使用的 `adc1`。通过编辑 `/etc/hostname` 文件或使用使用下图所示的命令来设置主机名。 ``` $ sudo hostnamectl set-hostname adc1 @@ -56,9 +55,9 @@ $ sudo hostnamectl set-hostname adc1 为了使修改的主机名生效必须重启服务器。 -### Step 2: 为 Samba4 AD DC 服务器安装必需的软件包 +### 第二步: 为 Samba4 AD DC 服务器安装必需的软件包 -4. 为了让你的服务器转变为域控服务器,你需要在服务器上使用具有 root 权限的账号执行以下命令来安装 Samba 套件及所有必需的软件包。 +4、 为了让你的服务器转变为域控制器,你需要在服务器上使用具有 root 权限的账号执行以下命令来安装 Samba 套件及所有必需的软件包。 ``` $ sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind @@ -67,52 +66,52 @@ $ sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss ![Install Samba on Ubuntu](http://www.tecmint.com/wp-content/uploads/2016/11/Install-Samba-on-Ubuntu.png) ][7] -在Ubuntu系统上安装 Samba套件 +*在 Ubuntu 系统上安装 Samba 套件* -5. 安装包在执行的过程中将会询问你一系列的问题以便完成域控制器的配置。 +5、 安装包在执行的过程中将会询问你一系列的问题以便完成域控制器的配置。 + +在第一屏中你需要以大写为 Kerberos 默认 REALM 输入一个名字。以**大写**为你的域环境输入名字,然后单击回车继续。 -在第一个截图中你需要为 Kerberos 添加一个默认的大写的名字 ’REALM‘。输入你的域环境中需要使用的大写的域名,然后单击 Enter 继续。 [ ![Configuring Kerberos Authentication](http://www.tecmint.com/wp-content/uploads/2016/11/Configuring-Kerberos-Authentication.png) ][8] -配置 Kerosene 认证服务 +*配置 Kerosene 认证服务* -6. 下一步,输入当前域中 Kerberos 服务器的主机名。使用跟域或相同的名字,这一次使用小写,然后单击 Enter 继续。 +6、 下一步,输入你的域中 Kerberos 服务器的主机名。使用和上面相同的名字,这一次使用**小写**,然后单击回车继续。 [ ![Set Hostname Kerberos Server](http://www.tecmint.com/wp-content/uploads/2016/11/Set-Hostname-Kerberos-Server.png) ][9] -设置 Kerberos 服务器的主机名 +*设置 Kerberos 服务器的主机名* -7. Finally, specify the hostname for the administrative server of your Kerberos realm. Use the same as your domain and hit Enter to finish the installation.最后,指定 Kerberos realm 管理服务器的主机名。使用跟域名相同的名字,单击 Enter 后安装完成。 +7、 最后,指定 Kerberos realm 管理服务器的主机名。使用更上面相同的名字,单击回车安装完成。 [ ![Set Hostname Administrative Server](http://www.tecmint.com/wp-content/uploads/2016/11/Set-Hostname-Administrative-Server.png) ][10] -Set Hostname Administrative Server -设置管理服务器的主机名 +*设置管理服务器的主机名* -### Step 3: 为你的域环境开启 Samba AD DC 服务 +### 第三步:为你的域环境开启 Samba AD DC 服务 -8. 在为域服务器配置 Samba 服务之前,先运行如下命令来停止并禁用所有 Samba 进程。 +8、 在为域服务器配置 Samba 服务之前,先运行如下命令来停止并禁用所有 Samba 进程。 ``` $ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service $ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service ``` -9. 下一步,重命名或删除 Samba 原始配置文件。在开启 Samba 服务之前,必须执行这一步操作,因为在开启服务的过程中 Samba 将会创建一个新的配置文件,如果检测到原有的 ’smb.conf' 配置文件则会报错。 +9、 下一步,重命名或删除 Samba 原始配置文件。在开启 Samba 服务之前,必须执行这一步操作,因为在开启服务的过程中 Samba 将会创建一个新的配置文件,如果检测到原有的 `smb.conf` 配置文件则会报错。 ``` $ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial ``` -10. 现在,使用 root 权限的账号并接受 Samba 提示的默认选项,以交互试方式启动 domain provision。 +10、 现在,使用 root 权限的账号并接受 Samba 提示的默认选项,以交互方式启动域供给(domain provision)。 -还有,输入正确的 DNS 服务器地址并且为 Administrator 账号设置强密码。如果使用的是弱密码,则 domain provison 过程会失败。 +还有,输入正确的 DNS 服务器地址并且为 Administrator 账号设置强密码。如果使用的是弱密码,则域供给过程会失败。 ``` $ sudo samba-tool domain provision --use-rfc2307 –interactive @@ -121,9 +120,9 @@ $ sudo samba-tool domain provision --use-rfc2307 –interactive ![Samba Domain Provisioning](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Domain-Provisioning.png) ][11] -Samba Domain Provisioning +*Samba 域供给* -11. 最后,使用以下命令重命名或删除 Kerberos 认证在 /etc 目录下的主配置文件,并且把 Samba 新生成的 Kerberos 配置文件创建一个软链接指向 /etc 目录。 +11、 最后,使用以下命令重命名或删除 Kerberos 认证在 `/etc` 目录下的主配置文件,并且把 Samba 新生成的 Kerberos 配置文件创建一个软链接指向 `/etc` 目录。 ``` $ sudo mv /etc/krb6.conf /etc/krb5.conf.initial @@ -133,9 +132,9 @@ $ sudo ln –s /var/lib/samba/private/krb5.conf /etc/ ![Create Kerberos Configuration](http://www.tecmint.com/wp-content/uploads/2016/11/Create-Kerberos-Configuration.png) ][12] -创建 Kerberos 配置文件 +*创建 Kerberos 配置文件* -12. 启动并开启 Samba 活动目录域控制器后台进程 +12、 启动并开启 Samba 活动目录域控制器后台进程 ``` $ sudo systemctl start samba-ad-dc.service @@ -146,9 +145,9 @@ $ sudo systemctl enable samba-ad-dc.service ![Enable Samba Active Directory Domain Controller](http://www.tecmint.com/wp-content/uploads/2016/11/Enable-Samba-AD-DC.png) ][13] -开启 Samba 活动目录域控制器服务 +*开启 Samba 活动目录域控制器服务* -13. 下一步,[使用 netstat 命令][14] 来验证活动目录启动的服务是否正常。 +13、 下一步,[使用 netstat 命令][14] 来验证活动目录启动的服务是否正常。 ``` $ sudo netstat –tulpn| egrep ‘smbd|samba’ @@ -157,13 +156,13 @@ $ sudo netstat –tulpn| egrep ‘smbd|samba’ ![Verify Samba Active Directory](http://www.tecmint.com/wp-content/uploads/2016/11/Verify-Samba-Active-Directory.png) ][15] -验证 Samba 活动目录 +*验证 Samba 活动目录* -### Step 4: Samba 最后的配置 +### 第四步: Samba 最后的配置 -14. 此刻,Samba 应该跟你想像的一样,完全运行正常。Samba 现在实现的域功能级别可以完全跟 Windows AD DC 2008 R2 相媲美。 +14、 此刻,Samba 应该跟你想像的一样,完全运行正常。Samba 现在实现的域功能级别可以完全跟 Windows AD DC 2008 R2 相媲美。 -可以使用 samba-tool 工具来验证 Samba 服务是否正常 +可以使用 `samba-tool` 工具来验证 Samba 服务是否正常: ``` $ sudo samba-tool domain level show @@ -172,9 +171,9 @@ $ sudo samba-tool domain level show ![Verify Samba Domain Level](http://www.tecmint.com/wp-content/uploads/2016/11/Verify-Samba-Domain-Level.png) ][16] -验证 Samba 域服务级别 +*验证 Samba 域服务级别* -15. 为了满足 DNS 本地解析的需求,你可以编辑网卡配置文件,修改 dns-nameservers 参数的值为域控制器地址(使用 127.0.0.1作为本地 DNS 解析地址),并且设置 dns-search 参数为你的 realm 值。 +15、 为了满足 DNS 本地解析的需求,你可以编辑网卡配置文件,修改 `dns-nameservers` 参数的值为域控制器地址(使用 127.0.0.1 作为本地 DNS 解析地址),并且设置 `dns-search` 参数为你的 realm 值。 ``` $ sudo cat /etc/network/interfaces @@ -184,24 +183,25 @@ $ sudo cat /etc/resolv.conf ![Configure DNS for Samba AD](http://www.tecmint.com/wp-content/uploads/2016/11/Configure-DNS-for-Samba-AD.png) ][17] -为 Samba 配置 DNS 服务器地址 +*为 Samba 配置 DNS 服务器地址* -设置完成后,重启服务并检查解析文件是否指向正确的 DNS 服务器地址。 +设置完成后,重启服务器并检查解析文件是否指向正确的 DNS 服务器地址。 -16. 最后,通过 ping 命令查询结果来检查某些重要的 AD DC 记录是否正常,使用类似下面的命令,替换对应的域名。 +16、 最后,通过 `ping` 命令查询结果来检查某些重要的 AD DC 记录是否正常,使用类似下面的命令,替换对应的域名。 ``` -$ ping –c3 tecmint.lan #Domain Name -$ ping –c3 adc1.tecmint.lan #FQDN -$ ping –c3 adc1 #Host +$ ping –c3 tecmint.lan # 域名 +$ ping –c3 adc1.tecmint.lan # FQDN +$ ping –c3 adc1 # 主机 ``` [ ![Check Samba AD DNS Records](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-AD-DNS-Records.png) ][18] -检查 Samba AD DNS Records +*检查 Samba AD DNS 记录* + +执行下面的一些查询命令来检查 Samba 活动目录域控制器是否正常。 -执行下面的一些查询命令来检查 Samba 活动目录域控制器是否正常。 ``` $ host –t A tecmint.lan $ host –t A adc1.tecmint.lan @@ -209,7 +209,7 @@ $ host –t SRV _kerberos._udp.tecmint.lan # UDP Kerberos SRV record $ host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record ``` -17. 并且,通过请求一个域管理员账号的票据来列出缓存的票据信息以验证 Kerberos 认证是否正常。注意域名部分使用大写。 +17、 并且,通过请求一个域管理员账号的身份来列出缓存的票据信息以验证 Kerberos 认证是否正常。注意域名部分使用大写。 ``` $ kinit administrator@TECMINT.LAN @@ -219,19 +219,19 @@ $ klist ![Check Kerberos Authentication on Domain](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Kerberos-Authentication-on-Domain.png) ][19] -检查域环境中的 Kerberos 认证是否正确 +*检查域环境中的 Kerberos 认证是否正确* 至此! 你当前的网络环境中已经完全运行着一个 AD 域控制器,你现在可以把 Windows 或 Linux 系统的主机集成到 Samba AD 中了。 -在下一期的文章中将会包括其它Samba AD 域的主题,比如,在 Samba 命令行下如何管理你的域控制器,如何把 Windows 10 系统主机添加到同一个域环境中,如何使用 RSAT 工具远程管理 Samba AD 域,以及其它重要的主题。 +在下一期的文章中将会包括其它 Samba AD 域的主题,比如,在 Samba 命令行下如何管理你的域控制器,如何把 Windows 10 系统主机添加到同一个域环境中,如何使用 RSAT 工具远程管理 Samba AD 域,以及其它重要的主题。 -------------------------------------------------------------------------------- via: http://www.tecmint.com/install-samba4-active-directory-ubuntu/ -作者:[Matei Cezar ][a] -译者:[译者ID](https://github.com/rusking) -校对:[校对者ID](https://github.com/校对者ID) +作者:[Matei Cezar][a] +译者:[rusking](https://github.com/rusking) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From f66ec9cae609d5972fb8b34f69ce0d22e4c96e73 Mon Sep 17 00:00:00 2001 From: wxy Date: Mon, 26 Dec 2016 17:47:43 +0800 Subject: [PATCH 003/181] =?UTF-8?q?PUB:20161121=20Create=20an=20Active=20D?= =?UTF-8?q?irectory=20Infrastructure=20with=20Samba4=20on=20Ubuntu=20?= =?UTF-8?q?=E2=80=93=20Part=201?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @rusking --- ...ive Directory Infrastructure with Samba4 on Ubuntu – Part 1.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md (100%) diff --git a/translated/tech/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md b/published/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md similarity index 100% rename from translated/tech/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md rename to published/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md From 0f90f6cc2265461871d4b00b5eb4797cdfdf89b6 Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Mon, 26 Dec 2016 09:53:13 +0000 Subject: [PATCH 004/181] Update 20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md --- ...o Linux - Move from SQL Server to MySQL as well.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md b/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md index 0e98e6a3e9..b35a3dc0b7 100644 --- a/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md +++ b/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md @@ -1,27 +1,32 @@ 翻译中 by ypingcn -Moving with SQL Server to Linux? Move from SQL Server to MySQL as well! +把 SQL Server 迁移到Linux?也把 SQL Server 换成 MySQL 吧! ============================================================ -### On this page +### 在这篇文章里将会讲 -1. [To have Control Over the Platform][1] +1.  [To have Control Over the Platform][1] 2. [Joining the Crowd][2] 3. [Microsoft isn’t Open Sourcing SQL Server’s Code][3] 4. [Saving on License Costs][4] 5. [Sometimes, the Specific Hardware being Used][5] 6. [Support][6] +最近几年,数量庞大的个人和组织放弃 Windows 平台选择 Linux 平台,而且随着人们体验到更多 Linux 的发展,这个数字将会继续增长。在很长的一段时间内, Linux是网络服务器的领导者,因为大部分的网络服务器都运行在 Linux 之上,这或许是一个为什么那么多个人和组织选择迁移的原因。 Over the recent years, there has been a large number of individuals as well as organizations who are ditching the Windows platform for Linux platform, and this number will continue to grow as more developments in Linux are experienced. Linux has for long been the leader in Web servers as most of the web servers run on Linux, and this could be one of the reasons why the high migration is being experienced. +迁移的原因有很多,从更强的平台稳定性、可靠性、花费、所有权和安全性。更多的个人和组织迁移到 Linux 平台,MS SQL Server数据库管理系统的迁移也有着同样的趋势, 首选的是MySQL,因为MySQL的互用性、平台独立和低的购置成本。 The reasons for this migration are as numerous, ranging from more platform stability, reliability, costs, ownership and security among others. As more entities migrate to the Linux platform, so is the migration from MS SQL server database management system, top MySQL, because of interoperability and platform independence of MySQL, as well as low acquisition costs. +有多少个人和组织完成了迁移,就有多少商业需求应该被满足,迁移,不能只是为了乐趣。同样的,一个综合可行性和成本效益分析是有必要执行的,分析能了解迁移对于你业务上的正面和负面影响。 As much as the migration is to be done, the need for it should be necessitated by the business and not just for the mere pleasure of it.As such, a comprehensive feasibility and cost-benefit analysis should be carried out to know the impact that the migration will have on your business, both positive and negative. +迁移需要基于以下的重要因素: The migration may be based on the following key factors: ### To have Control Over the Platform +不像Windows那样每次发布和修复都不能完全掌控,Linux 真正给了你灵活性去获取修复。 Unlike in windows where you are not in full control of the releases and fixes, Linux does give you that flexibility to get fixes as and when you require them. This is preferred by developers and security personnel in that they are able to immediately apply a fix when a security threat is identified, unlike in Windows where you can only hope they release the fixes soon. ### Joining the Crowd From 7e439921ce616871c330dd89bc13c1da06adfd2e Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Mon, 26 Dec 2016 11:53:34 +0000 Subject: [PATCH 005/181] Update 20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md --- ...erver to Linux - Move from SQL Server to MySQL as well.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md b/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md index b35a3dc0b7..3321ce034e 100644 --- a/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md +++ b/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md @@ -26,15 +26,16 @@ The migration may be based on the following key factors: ### To have Control Over the Platform -不像Windows那样每次发布和修复都不能完全掌控,Linux 真正给了你灵活性去获取修复。 +不像Windows那样每次发布和修复都不能完全掌控,当你需要修复的时候, Linux 真正给了你灵活性去获取他们。这一点受到开发者和安全人员的喜爱,因为他们能在一个安全威胁被确定时立即修复它。 Unlike in windows where you are not in full control of the releases and fixes, Linux does give you that flexibility to get fixes as and when you require them. This is preferred by developers and security personnel in that they are able to immediately apply a fix when a security threat is identified, unlike in Windows where you can only hope they release the fixes soon. ### Joining the Crowd +目前, 运行在 Linux 平台上的服务器在数量上远超过 Windows,几乎是全世界服务器数量的四分之三,而且这种趋势在最近一段时间内不会改变。因此,许多组织正在将他们的服务完全迁移到 Linux 上,而不是同时使用两种平台,那将会增加他们的运营成本。 The Linux platform far outnumbers Windows in the number of servers that are running on it, nearly a quarter of all servers in the world, and the trend is not about to change anytime soon. Many organizations, therefore, do migrate so as to be fully on Linux rather than running two platforms concurrently, which adds up to their operating costs. ### Microsoft isn’t Open Sourcing SQL Server’s Code - +尽管微软宣称他们下一个名为 Denali 的新版 MSSQL Server 将会是一个 Linux 版,但是微软并不会开放源代码,这意味着他们的协议依旧有效。 In as much as Microsoft have announced that their next release of MSSQL server (named Denali) will be a Linux version, that will still not open their source code, meaning that their licenses will still apply, but the release will be run on Linux. This still locks out the many users who would happily take to the release if it was open source. This still does not give an alternative to those users who are using Oracle, which is not open source; neither does it to those [using MySQL][7], which is fully open source. From cb147d6ca4f084882da34dc02bfac8ec5bd9c56f Mon Sep 17 00:00:00 2001 From: wxy Date: Mon, 26 Dec 2016 20:47:11 +0800 Subject: [PATCH 006/181] PROOF:20160817 Dependency Injection for the Android platform 101 - Part 1 @GitFuture --- ...n for the Android platform 101 - Part 1.md | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/translated/tech/20160817 Dependency Injection for the Android platform 101 - Part 1.md b/translated/tech/20160817 Dependency Injection for the Android platform 101 - Part 1.md index 6ae6ddccfb..b8c4427b83 100644 --- a/translated/tech/20160817 Dependency Injection for the Android platform 101 - Part 1.md +++ b/translated/tech/20160817 Dependency Injection for the Android platform 101 - Part 1.md @@ -1,19 +1,19 @@ -安卓平台上的依赖注入 - 第一部分 +安卓平台上的依赖注入(一) =========================== ![](https://d262ilb51hltx0.cloudfront.net/max/2000/1*YWlAzAY20KLLGIyyD_mzZw.png) 刚开始学习软件工程的时候,我们经常会碰到像这样的事情: ->软件应该符合 SOLID 原则。 +> 软件应该符合 SOLID 原则。 但这句话实际是什么意思?让我们看看 SOLID 中每个字母在架构里所代表的重要含义,例如: -- [S 单职责原则][1] -- [O 开闭原则][2] -- [L Liskov 替换原则][3] -- [I 接口分离原则][4] -- [D 依赖反转原则][5] 这也是依赖注入的核心概念。 +- [S - 单职责原则][1] +- [O - 开闭原则][2] +- [L - Liskov 替换原则][3] +- [I - 接口分离原则][4] +- [D - 依赖反转原则][5] 这也是依赖注入(dependency injection)的核心概念。 简单来说,我们需要提供一个类,这个类有它所需要的所有对象,以便实现其功能。 @@ -39,7 +39,7 @@ class DependencyInjection { } ``` -正如我们所见,第一种情况是我们在构造器里创建了依赖对象,但在第二种情况下,它作为参数被传递给构造器,这就是我们所说的依赖注入。这样做是为了让我们所写的类不依靠特定依赖关系的实现,却能直接使用它。 +正如我们所见,第一种情况是我们在构造器里创建了依赖对象,但在第二种情况下,它作为参数被传递给构造器,这就是我们所说的依赖注入(dependency injection)。这样做是为了让我们所写的类不依靠特定依赖关系的实现,却能直接使用它。 参数传递的目标是构造器,我们就称之为构造器依赖注入;或者是某个方法,就称之为方法依赖注入: @@ -58,13 +58,13 @@ class Example { ``` -要是你想总体深入地了解依赖注入,可以看看由 [Dan Lew][t2] 发表的[精彩的演讲][t1],事实上是这个演讲启迪了这个概述。 +要是你想总体深入地了解依赖注入,可以看看由 [Dan Lew][t2] 发表的[精彩的演讲][t1],事实上是这个演讲启迪了这篇概述。 -在 Android 平台,当需要框架来处理依赖注入这个特殊的问题时,我们有不同的选择,其中最有名的框架就是 [Dagger 2][t3]。它最开始是由 Square 公司(译者注:Square 是美国一家移动支付公司)里一些很棒的开发者开发出来的,然后慢慢发展成由 Google 自己开发。特别地,Dagger 1 先被开发出来,然后 Big G 接手这个项目,做了很多改动,比如以注释为基础,在编译的时候就完成 Dagger 的任务,也就是第二个版本。 +在 Android 平台,当需要框架来处理依赖注入这个特殊的问题时,我们有不同的选择,其中最有名的框架就是 [Dagger 2][t3]。它最开始是由 Square 公司(LCTT 译注:Square 是美国一家移动支付公司)的一些很棒的开发者开发出来的,然后慢慢发展成由 Google 自己开发。首先开发出来的是 Dagger 1,然后 Big G 接手这个项目发布了第二个版本,做了很多改动,比如以注解(annotation)为基础,在编译的时候完成其任务。 ### 导入框架 -安装 Dagger 并不难,但需要导入 `android-apt` 插件,通过向项目的根目录下的 build.gradle 文件中添加它的依赖关系: +安装 Dagger 并不难,但需要导入 `android-apt` 插件,通过向项目的根目录下的 `build.gradle` 文件中添加它的依赖关系: ``` buildscript{ @@ -76,13 +76,13 @@ buildscript{ } ``` -然后,我们需要将 `android-apt` 插件应用到项目 build.gradle 文件,放在文件顶部 Android 应用那一句的下一行: +然后,我们需要将 `android-apt` 插件应用到项目 `build.gradle` 文件,放在文件顶部 Android application 那一句的下一行: ``` apply plugin: ‘com.neenbedankt.android-apt’ ``` -这个时候,我们只用添加依赖关系,然后就能使用库和注释了: +这个时候,我们只用添加依赖关系,然后就能使用库及其注解(annotation)了: ``` dependencies{ @@ -93,11 +93,11 @@ dependencies{ } ``` ->需要加上最后一个依赖关系是因为 @Generated 注解在 Android 里还不可用,但它是[原生的 Java 注解][t4]。 +> 需要加上最后一个依赖关系是因为 @Generated 注解在 Android 里还不可用,但它是[原生的 Java 注解][t4]。 ### Dagger 模块 -要注入依赖,首先需要告诉框架我们能提供什么(比如说上下文)以及特定的对象应该怎样创建。为了完成注入,我们用 `@Module` 注释对一个特殊的类进行了注解(这样 Dagger 就能识别它了),寻找 `@Provide` 标记的方法,生成图表,能够返回我们所请求的对象。 +要注入依赖,首先需要告诉框架我们能提供什么(比如说上下文)以及特定的对象应该怎样创建。为了完成注入,我们用 `@Module` 注释对一个特殊的类进行了注解(这样 Dagger 就能识别它了),寻找 `@Provide` 注解的方法,生成图表,能够返回我们所请求的对象。 看下面的例子,这里我们创建了一个模块,它会返回给我们 `ConnectivityManager`,所以我们要把 `Context` 对象传给这个模块的构造器。 @@ -122,11 +122,11 @@ public class ApplicationModule { } ``` ->Dagger 中十分有意思的一点是只用在一个方法前面添加一个 Singleton 注解,就能处理所有从 Java 中继承过来的问题。 +> Dagger 中十分有意思的一点是简单地注解一个方法来提供一个单例(Singleton),就能处理所有从 Java 中继承过来的问题。 -### 容器 +### 组件 -当我们有一个模块的时候,我们需要告诉 Dagger 想把依赖注入到哪里:我们在一个容器里,一个特殊的注解过的接口里完成依赖注入。我们在这个接口里创造不同的方法,而接口的参数是我们想注入依赖关系的类。 +当我们有一个模块的时候,我们需要告诉 Dagger 想把依赖注入到哪里:我们在一个组件(Component)里完成依赖注入,这是一个我们特别创建的特殊注解接口。我们在这个接口里创造不同的方法,而接口的参数是我们想注入依赖关系的类。 下面给出一个例子并告诉 Dagger 我们想要 `MainActivity` 类能够接受 `ConnectivityManager`(或者在图表里的其它依赖对象)。我们只要做类似以下的事: @@ -139,15 +139,15 @@ public interface ApplicationComponent { } ``` ->正如我们所见,@Component 注解有几个参数,一个是所支持的模块的数组,意味着它能提供的依赖。这里既可以是 Context 也可以是 ConnectivityManager,因为他们在 ApplicationModule 类中有声明。 +> 正如我们所见,@Component 注解有几个参数,一个是所支持的模块的数组,代表它能提供的依赖。这里既可以是 `Context` 也可以是 `ConnectivityManager`,因为它们在 `ApplicationModule` 类中有声明。 -### 使用 +### 用法 -这时,我们要做的是尽快创建容器(比如在应用的 onCreate 方法里面)并且返回这个容器,那么类就能用它来注入依赖了: +这时,我们要做的是尽快创建组件(比如在应用的 `onCreate` 阶段)并返回它,那么类就能用它来注入依赖了: ->为了让框架自动生成 DaggerApplicationComponent,我们需要构建项目以便 Dagger 能够扫描我们的代码库,并且生成我们需要的部分。 +> 为了让框架自动生成 `DaggerApplicationComponent`,我们需要构建项目以便 Dagger 能够扫描我们的代码,并生成我们需要的部分。 -在 `MainActivity` 里,我们要做的两件事是用 `@Inject` 注解符对想要注入的属性进行注释,调用我们在 `ApplicationComponent` 接口中声明的方法(请注意后面一部分会因我们使用的注入类型的不同而变化,但这里简单起见我们不去管它),然后依赖就被注入了,我们就能自由使用他们: +在 `MainActivity` 里,我们要做的两件事是用 `@Inject` 注解符对想要注入的属性进行注解,调用我们在 `ApplicationComponent` 接口中声明的方法(请注意后面一部分会因我们使用的注入类型的不同而变化,但这里简单起见我们不去管它),然后依赖就被注入了,我们就能自由使用他们: ``` public class MainActivity extends AppCompatActivity { @@ -164,7 +164,7 @@ public class MainActivity extends AppCompatActivity { ### 总结 -当然了,我们可以手动注入依赖,管理所有不同的对象,但 Dagger 打消了很多有关模板的“噪声”,Dagger 给我们有用的附加品(比如 `Singleton`),而仅用 Java 处理将会很糟糕。 +当然了,我们可以手动注入依赖,管理所有不同的对象,但 Dagger 消除了很多比如模板这样的“噪声”,给我们提供有用的附加品(比如 `Singleton`),而仅用 Java 处理将会很糟糕。 -------------------------------------------------------------------------------- @@ -172,7 +172,7 @@ via: https://medium.com/di-101/di-101-part-1-81896c2858a0#.3hg0jj14o 作者:[Roberto Orgiu][a] 译者:[GitFuture](https://github.com/GitFuture) -校对:[校对者ID](https://github.com/校对者ID) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From 1a9ec784d8516cecf8653bd57716c1e3b7fdb4de Mon Sep 17 00:00:00 2001 From: wxy Date: Mon, 26 Dec 2016 20:47:34 +0800 Subject: [PATCH 007/181] PUB: 0160817 Dependency Injection for the Android platform 101 - Part 1 @GitFuture --- ... Dependency Injection for the Android platform 101 - Part 1.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20160817 Dependency Injection for the Android platform 101 - Part 1.md (100%) diff --git a/translated/tech/20160817 Dependency Injection for the Android platform 101 - Part 1.md b/published/20160817 Dependency Injection for the Android platform 101 - Part 1.md similarity index 100% rename from translated/tech/20160817 Dependency Injection for the Android platform 101 - Part 1.md rename to published/20160817 Dependency Injection for the Android platform 101 - Part 1.md From e62c56208290d455e32f2f4f2dc29996cc8e4670 Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Mon, 26 Dec 2016 21:36:15 +0800 Subject: [PATCH 008/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E5=AE=8C=E6=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 感谢 @name1e5s --- ... Silicon Valley shares her 'nerd' story.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md b/translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md index 4bb3b39ec3..2ac7b96567 100644 --- a/translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md +++ b/translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md @@ -27,45 +27,45 @@ *我们的 LISA 看起来就像这样,看到鼠标了吗?CC BY-SA 4.0* -在学校,我的数学的概念学得不错,但是基本计算却惨不忍睹。我的第一个学校的老师告诉我的家长和我,说我的数学很差,还说我很“笨”。虽然我在“常规的”数学项目中表现出色,能理解一个 7 岁的孩子能理解的逻辑谜题,但是我不能完成我们每天早上都要做的“练习”。她说我傻,这事我不会忘记。在那之后的十年我都没能相信自己的逻辑能力和算法的水平。**不要低估你对孩子说的话的影响**。 +在学校,我的数学的概念学得不错,但是基本计算却惨不忍睹。我的第一个学校的老师告诉我的家长和我,说我的数学很差,还说我很“笨”。虽然我在“常规的”数学项目中表现出色,能理解一个超出 7 岁孩子理解能力的逻辑谜题,但是我不能完成我们每天早上都要做的“练习”。她说我傻,这事我不会忘记。在那之后的十年我都没能相信自己的逻辑能力和算法的水平。**不要低估你对孩子说的话的影响**。 在我玩了几年爸爸的电脑之后,他从 Apple 公司跳槽到了 EA,又跳到了 SGI,我又体验了他带回来的新玩意。这让我们认为我们家的房子是镇里最酷的,因为我们在车库里有一个能玩 Doom 的 SGI 的机器。我不会太多的编程,但是现在看来,从那些年里我学到对尝试新的科技毫不恐惧。同时,我的学文学和教育的母亲,成为了一个科技行业的作家,她向我证实了一个人的职业可以改变,而且一个做母亲的人可能同时驾驭一个科技职位。我不是说这对她来说很简单,但是她让我认为这件事看起来很简单。你可能会想这些早期的熏陶能把我带到科技行业,但是它没有。 ### 本科时光 -我想我要成为一个小学教师,我就读米尔斯学院就是想要做这个。但是后来我开始研究女性,后来有研究神学,我这样做仅仅是由于我自己的一个渴求:我希望能理解人类的意志以及为更好的世界而努力。 +我想我要成为一个小学教师,我就读米尔斯学院就是想要做这个。但是后来我开始研究女性,后来又研究神学,我这样做仅仅是由于我自己的一个渴求:我希望能理解人类的意志以及为更好的世界而努力。 -同时,我也感受到了互联网的巨大力量。在 1991 年,拥有你自己的 UNIX 的账户是很令人高兴的事,这件事值得你向全世界的人吹嘘。我仅仅从在互联网中“玩”就学到了不少,从那些愿意回答我提出的问题的人那里学到的就更多了。这些学习对我的职业生涯的影响不亚于我在学校教育部之中学到的知识。没有没有用的信息。我在一个女子学院度过了影响我一生的关键时期,然后那个女子学院的一个辉煌的女人跑进了计算机院,我不忍为这是一个事故。在那个老师的权力不算太大的学院,我们不止是被允许,甚至是被鼓励去尝试很多的道路(我们能接触到很多很多的科技,还能有聪明人来供我们求助),我也确实那样做了。我十分感激当年的教育。在那个学院,我也了解了什么是极客文化。 +同时,我也感受到了互联网的巨大力量。在 1991 年,拥有你自己的 UNIX 的账户,能够和全世界的人谈话,是很令人兴奋的事。我仅仅从在互联网中“玩”就学到了不少,从那些愿意回答我提出的问题的人那里学到的就更多了。这些学习对我的职业生涯的影响不亚于我在正规学校教育之中学到的知识。所有的信息都是有用的。我在一个女子学院度过了学习的关键时期,那时是一个杰出的女性在掌管计算机院。在那个宽松氛围的学院,我们不仅被允许,还被鼓励去尝试很多的道路(我们能接触到很多很多的科技,还有聪明人愿意帮助我们),我也确实那样做了。我十分感激当年的教育。在那个学院,我也了解了什么是极客文化。 -之后我去了研究生院去学习 女权主义神学,但是技术行业的气息已经渗入我的灵魂。当我知道我不能成为一个教授或者一个专家时,我离开了学术圈,带着债务和很多点子回到了家。 +之后我去了研究生院去学习女性主义神学,但是技术的气息已经渗入我的灵魂。当我意识到我不想成为一个教授或者一个学术伦理家时,我离开了学术圈,带着学校债务和一些想法回到了家。 ### 新的开端 -在 1995 年,我被我看见的万维网连接 人们以及分享想法和信息的能力所震惊(直到现在仍是如此)。我想要进入这个行业。看起来我好像要“女承父业”,但是我不知道我会用什么方式来这样做。我开始在硅谷做临时工,在我在太阳微系统公司得到我的第一个“技术”职位前做一些事情(为数据写最基础的数据库,技术手册印发钱的事务,备份工资单的存跟)。这些事很让人激动。(毕竟,我们是“点 com”的那个”点“)。 +在 1995 年,我被万维网连接人们以及分享想法和信息的能力所震惊(直到现在仍是如此)。我想要进入这个行业。看起来我好像要“女承父业”,但是我不知道如何开始。我开始在硅谷做临时工,从 Sun Microsystems 公司得到我的第一个“真正”技术职位前尝试做了一些事情(为半导体数据写最基础的数据库,技术手册印发前的事务,备份工资单的存跟)。这些事很让人激动。(毕竟,我们是“.com”中的那个”点“)。 -在 Sun ,我努力学习,尽可能多的尝试我新事物。我的第一个工作是网页化(啥?这是一个单独的词汇)论文以及为测试中的 Solaris 修改一些基础的服务工具(大多数是Perl写的)。在那里最终在 Open Solaris 的测试版运行时我感受到了开源的力量。 +在 Sun ,我努力学习,尽可能多的尝试新事物。我的第一个工作是网页化 HTMLing(啥?这是一个词!)白皮书,以及为 Beta 程序修改一些基础的服务工具(大多数是Perl写的)。后来我成为 Solaris beta 项目组中的项目经理,并在 Open Solaris 的 Beta 版运行中感受到了开源的力量。 -在那里我学到了一个很重要的事情。我发现在同样重视工程和教育的地方有一种气氛,在那里我的问题不再显得“傻”。我很庆幸我选对了导师和朋友。在决定为第二个孩子的出生产假之前,我上每一堂我能上的课程,读每一本我能读的书,尝试自学我在学校没有学习过的技术,商业以及项目管理方面的技能。 +在那里我做的最重要的事情就是学校。我发现在同样重视工程和教育的地方有一种气氛,在那里我的问题不再显得“傻”。我很庆幸我选对了导师和朋友。在决定休第二个孩子的产假之前,我上每一堂我能上的课程,读每一本我能读的书,尝试自学我在学校没有学习过的技术,商业以及项目管理方面的技能。 ### 重回工作 -当我准备重新工作时,Sun 已经不是一个值得回去的地方。所以,我收集了很多人的信息(网络是你的朋友),利用我的沟通技能最终建立了一个互联网门户(2005 年时,一切皆门户),并且开始了解 CRM,发布产品的方式,本地化,网络等知识。我这么做是基于我过去的尝试以及失败的经历所得出的教训,也是这个教训让我成功。我也认为我们需要这个方面的榜样。 +当我准备重新工作时,Sun 已经不是可行的地方。所以,我收集了很多人的信息(网络是你的朋友),利用我的沟通技能,最终获得了一个管理互联网门户的长期合同(2005 年时,一切皆门户),并且开始了解 CRM,发布产品的方式,本地化,网络等知识。我讲这么多背景,主要是我尝试以及失败的经历,和我成功的经历同等重要,从中学到很多。我也认为我们需要这个方面的榜样。 -从很多方面来看,我的职业生涯的第一部分是 我的技术上的自我教育。这事发生的时间和地点都和现在不一样——我在帮助女性和其他弱势群体的组织工作,但是我之后成为一个技术行业的女性。当时我无疑,没有看到这个行业的缺陷,现在这个行业更加的厌恶女性,而不是更加喜欢她们。 +从很多方面来看,我的职业生涯的第一部分是我的技术教育。这事发生的时间和地点都和现在不一样了 —— 我在帮助组织中的女性和其他弱势群体,但是我之后成为一个技术行业的女性。当时无疑我没有看到这个行业的缺陷,但是现在这个行业更加的厌恶女性,一点没有减少。 -在这些事情之后,我还没有把自己当作一个榜样,或者一个高级技术人员。当我的一个在父母的圈子里认识极客朋友鼓励我申请一个看起来定位十分模糊且技术性很强的开源的非盈利基础设施商店(互联网系统协会,BIND,一个广泛部署的开源服务器的开发商,13 台 DNS 根域名服务器之一的运营商)的项目经理时,我很震惊。有很长一段时间,我都不知道他们为什么要雇佣我!我对 DNS ,基础设备,以及协议的开发知之甚少,但是我再次遇到了老师,并再度开始飞速发展。我花时间旅行,在关键流程攻关,搞清楚如何与高度国际化的团队合作,解决麻烦的问题,最重要的是,拥抱支持我们的开源和充满活力的社区。我几乎重新学了一切,通过试错的方式。我学习如何构思一个产品。如何通过建设开源社区,领导那些有这特定才能,技能和耐心的人,是他们给了产品价值。 +在这些事情之后,我还没有把自己当作一个标杆,或者一个高级技术人员。当我在父母圈子里认识的一位极客朋友鼓励我申请一个看起来定位十分模糊且技术性很强的开源的非盈利基础设施商店(互联网系统协会,BIND --一个广泛部署的开源 DNS 名称服务器--的缔造者,13 台根域名服务器之一的运营商)的产品经理时,我很震惊。有很长一段时间,我都不知道他们为什么要雇佣我!我对 DNS ,基础设备,以及协议的开发知之甚少,但是我再次遇到了老师,并再度开始飞速发展。我花时间旅行,在关键流程攻关,搞清楚如何与高度国际化的团队合作,解决麻烦的问题,最重要的是,拥抱支持我们的开源和充满活力的社区。我几乎重新学了一切,通过试错的方式。我学习如何构思一个产品。如何通过建设开源社区,领导那些有这特定才能,技能和耐心的人,是他们给了产品价值。 ### 成为别人的导师 -当我在 ISC 工作时,我通过 [TechWomen 项目][2] (一个让来自中东和北非的技术行业的女性带到硅谷来接受教育的计划),我开始喜欢教学生以及支持那些女性,特别是在开源行业中奋斗的。这也就是我开始相信自己的能力的开端。我还需要学很多。 +当我在 ISC 工作时,我通过 [TechWomen 项目][2] (一个让来自中东和北非的技术行业的女性到硅谷来接受教育的计划),我开始喜欢教学生以及支持那些技术女性,特别是在开源行业中奋斗的。也正是从这时起我开始相信自己的能力。我还需要学很多。 -当我第一次读 TechWomen 的广告时,我认为那些导师甚至都不会想要和我说话!我有冒名顶替综合征。当他们邀请我成为第一批导师(以及以后 6 年的导师)时,我很震惊,但是现在我学会了相信这些都是我努力得到的待遇。冒名顶替综合征是真实的,但是它能被时间冲淡。 +当我第一次读 TechWomen 关于导师的广告时,我认为那些导师甚至都不会想要和我说话!我有冒名顶替综合征。当他们邀请我成为第一批导师(以及以后 6 年的导师)时,我很震惊,但是现在我学会了相信这些都是我努力得到的待遇。冒名顶替综合征是真实的,但是它能被时间冲淡。 ### 现在 -最后,我不得不离开我在 ISC 的工作。幸运的是,我的工作以及我的价值让我进入了 Mozilla ,在这里我的努力和我的幸运让我在这里有着重要的作用。现在,我是一名支持多样性的包容的高级项目经理。我致力于构建一个更多样化,更有包容性的 Mozilla ,站在之前的做同样事情的巨人的肩膀上,与最聪明友善的人们一起工作。我用我的激情来让人们找到贡献一个世界需要的互联网的有意义的方式:这让我兴奋了很久。我能看见,我做到了! +最后,我不得不离开我在 ISC 的工作。幸运的是,我的工作以及我的价值让我进入了 Mozilla ,在这里我的努力和我的幸运让我在这里承担着重要的角色。现在,我是一名支持多样性的高级项目经理。我致力于构建一个更多样化,更有包容性的 Mozilla ,站在之前的做同样事情的巨人的肩膀上,与最聪明友善的人们一起工作。我用我的激情来让人们找到贡献一个世界需要的互联网的有意义的方式:这让我兴奋了很久。我能看见,我做到了! -通过对组织和个人行为的干预来用一种新的方法来改变一种文化这件事情和我的人生有着十分奇怪的联系 —— 从我的早期的学术生涯,到职业生涯再到现在。每天都是一个新的挑战,我想我最喜欢的就是在科技行业的工作,尤其是在开放互联网的工作。互联网天然的多元性是它最开始吸引我的原因,也是我还在寻求的——一个所有人都有获取的资源可能性,无论背景如何。榜样,导师,资源,以及最重要的,对不断发展的技术和开源文化的尊重能实现我相信它能实现的事 —— 包括给任何的平等的接入权和机会。 +通过对组织和个人行为的干预来获取一种新的方式,以改变文化,这和我的人生轨迹有着不可思议的联系 —— 从我的早期的学术生涯,到职业生涯再到现在。每天都是一个新的挑战,我想这是我喜欢在科技行业工作,尤其是在开放互联网工作的地方。互联网天然的多元性是它最开始吸引我的原因,也是我还在寻求的 —— 所有人都有机会和获取资源的可能性,无论背景如何。榜样,导师,资源,以及最重要的,尊重,是不断发展技术和开源文化的必要组成部分,实现我相信它能实现的所有事 —— 包括给所有人平等的接触机会。 -------------------------------------------------------------------------------- From b91091fe5049f205aaaa495ecc3e2c2c8124cc78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E4=B8=80=E8=88=AA?= Date: Mon, 26 Dec 2016 22:19:24 +0800 Subject: [PATCH 009/181] =?UTF-8?q?[=E7=BF=BB=E8=AF=91=E4=B8=AD]=20By=20:?= =?UTF-8?q?=20WangYihang?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../20161201 How to Build an Email Server on Ubuntu Linux.md | 1 + 1 file changed, 1 insertion(+) diff --git a/sources/tech/20161201 How to Build an Email Server on Ubuntu Linux.md b/sources/tech/20161201 How to Build an Email Server on Ubuntu Linux.md index 075b6d54b9..f46891b365 100644 --- a/sources/tech/20161201 How to Build an Email Server on Ubuntu Linux.md +++ b/sources/tech/20161201 How to Build an Email Server on Ubuntu Linux.md @@ -1,4 +1,5 @@ translating by dongdongmian +translating by WangYihang How to Build an Email Server on Ubuntu Linux ============================================================ From f5a087e6932687e778f4e4ed72811daa12083741 Mon Sep 17 00:00:00 2001 From: "Fuliang.Li" Date: Mon, 26 Dec 2016 23:55:27 +0800 Subject: [PATCH 010/181] Delete 20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md --- ...n of Red Hat Enterprise Linux 7.3 Guide.md | 259 ------------------ 1 file changed, 259 deletions(-) delete mode 100644 sources/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md diff --git a/sources/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md b/sources/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md deleted file mode 100644 index 4cc64e587d..0000000000 --- a/sources/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md +++ /dev/null @@ -1,259 +0,0 @@ -GHLandy Translating - -Installation of Red Hat Enterprise Linux (RHEL) 7.3 Guide -============================================================ - -Red Hat Enterprise Linux is an Open Source Linux distribution developed by Red Hat company, which can run all major processor architectures. Unlike other Linux distributions which are free to download, install and use, RHEL can be downloaded and used, with the exception the 30-day evaluation version, only if you buy a subscription. - -In this tutorial will take a look on how you can install the latest release of RHEL 7.3, on your machine using the 30-day evaluation version of the ISO image downloaded from Red Hat Customer Portal at [https://access.redhat.com/downloads][1]. - -If you’re looking for CentOS, go through our [CentOS 7.3 Installation Guide][2]. - -To review what’s new in RHEL 7.3 release please read the [version release notes][3]. - -#### Pre-Requirements - -This installation will be performed on a UEFI virtualized firmware machine. To perform the installation of RHELon a UEFI machine first you need to instruct the EFI firmware of your motherboard to modify the Boot Ordermenu in order to boot the ISO media from the appropriate drive (DVD or USB stick). - -If the installation is done through a bootable USB media, you need to assure that the bootable USB is created using a UEFI compatible tool, such as [Rufus][4], which can partition your USB drive with a valid GPT partition scheme required by UEFI firmware. - -To modify the motherboard UEFI firmware settings you need to press a special key during your machine initialization POST (Power on Self Test). - -The proper special key needed for this configuration can be obtained by consulting your motherboard vendor manual. Usually, these keys can be F2, F9, F10, F11 or F12 or a combination of Fn with these keys in case your device is a Laptop. - -Besides modifying UEFI Boot Order you need to make sure that QuickBoot/FastBoot and Secure Boot options are disabled in order to properly run RHEL from EFI firmware. - -Some UEFI firmware motherboard models contain an option which allows you to perform the installation of an Operating System from Legacy BIOS or EFI CSM (Compatibility Support Module), a module of the firmware which emulates a BIOS environment. Using this type of installation requires the bootable USB drive to be partitioned in MBR scheme, not GPT style. - -Also, once you install RHEL, or any other OS for that matter, on your UEFI machine from one of these two modes, the OS must run on the same firmware you’ve performed the installation. - -You can’t switch from UEFI to BIOS Legacy or vice-versa. Switching between UEFI and Bios Legacy will render your OS unusable, unable to boot and the OS will require reinstallation. - -### Installation Guide of RHEL 7.3 - -1. First, download and burn RHEL 7.3 ISO image on a DVD or create a bootable USB stick using the correct utility. - -Power-on the machine, place the DVD/USB stick in the appropriate drive and instruct UEFI/BIOS, by pressing a special boot key, to boot from the appropriate installation media. - -Once the installation media is detected it will boot-up in RHEL grub menu. From here select Install red hat Enterprise Linux 7.3 and press [Enter] key to continue. - -[ - ![RHEL 7.3 Boot Menu](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Boot-Menu.jpg) -][5] - -RHEL 7.3 Boot Menu - -2. The next screen appearing will take you to the welcome screen of RHEL 7.3 From here chose the language that will be used for the installation process and press [Enter] key to move on to the next screen. - -[ - ![Select RHEL 7.3 Language](http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Language.png) -][6] - -Select RHEL 7.3 Language - -3. The next screen that will appear contains a summary of all the items you will need to setup for the installation of RHEL. First hit on DATE & TIME item and choose the physical location of your device from the map. - -Hit on the upper Done button to save the configuration and proceed further with configuring the system. - -[ - ![RHEL 7.3 Installation Summary](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Summary.png) -][7] - -RHEL 7.3 Installation Summary - -[ - ![Select RHEL 7.3 Date and Time](http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Date-and-Time.png) -][8] - -Select RHEL 7.3 Date and Time - -4. On the next step, configure your system keyboard layout and the and hit on Done button again to go back to the main installer menu. - -[ - ![Configure Keyboard Layout](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Keyboard-Layout.png) -][9] - -Configure Keyboard Layout - -5. Next, select the language support for your system and hit Done button to move to the next step. - -[ - ![Choose Language Support](http://www.tecmint.com/wp-content/uploads/2016/12/Choose-Language-Support.png) -][10] - -Choose Language Support - -6. Leave the Installation Source item as default because in this case we’re performing the installation from our local media drive (DVD/USB image) and click on Software Selection item. - -From here you can choose the base environment and Add-ons for your RHEL OS. Because RHEL is a Linux distribution inclined to be used mostly for servers, the Minimal Installation item is the perfect choice for a system administrator. - -This type of installation is the most recommended in a production environment because only the minimal software required to properly run the OS will be installed. - -This also means a high degree of security and flexibility and a small size footprint on your machine hard drive. All other environments and add-ons listed here can be easily installed afterwards from command line by buying a subscription or by using the DVD image as a source. - -[ - ![RHEL 7.3 Software Selection](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Software-Selection.png) -][11] - -RHEL 7.3 Software Selection - -7. In case you want to install one of the pre-configured server base environments, such as Web Server, File and Print Server, Infrastructure Server, Virtualization Host or Server with a Graphical User Interface, just check the preferred item, choose Add-ons from the right plane and hit on Done button finish this step. - -[ - ![Select Server with GUI on RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Select-Server-with-GUI-on-RHEL-7.3.png) -][12] - -Select Server with GUI on RHEL 7.3 - -8. On the next step hit on Installation Destination item in order to select the device drive where the required partitions, file system and mount points will be created for your system. - -The safest method would be to let the installer automatically configure hard disk partitions. This option will create all basic partitions required for a Linux system (`/boot`, `/boot/efi` and `/(root)` and `swap` in LVM), formatted with the default RHEL 7.3 file system, XFS. - -Keep in mind that if the installation process was started and performed from UEFI firmware, the partition table of the hard disk would be GPT style. Otherwise, if you boot from CSM or BIOS legacy, the hard drive partition table would be old MBR scheme. - -If you’re not satisfied with automatic partitioning you can choose to configure your hard disk partition table and manually create your custom required partitions. - -Anyway, in this tutorial we recommend that you choose to automatically configure partitioning and hit on Donebutton to move on. - -[ - ![Choose RHEL 7.3 Installation Drive](http://www.tecmint.com/wp-content/uploads/2016/12/Choose-RHEL-7.3-Installation-Drive.png) -][13] - -Choose RHEL 7.3 Installation Drive - -9. Next, disable Kdump service and move to network configuration item. - -[ - ![Disable Kdump Feature](http://www.tecmint.com/wp-content/uploads/2016/12/Disable-Kdump-Feature.png) -][14] - -Disable Kdump Feature - -10. In Network and Hostname item, setup and apply your machine host name using a descriptive name and enable the network interface by dragging the Ethernet switch button to `ON` position. - -The network IP settings will be automatically pulled and applied in case you have a DHCP server in your network. - -[ - ![Configure Network Hostname](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-Hostname.png) -][15] - -Configure Network Hostname - -11. To statically setup the network interface click on the Configure button and manually configure the IPsettings as illustrated on the below screenshot. - -When you finish setting-up the network interface IP addresses, hit on Save button, then turn `OFF` and `ON` the network interface in order to apply changes. - -Finally, click on Done button to return to the main installation screen. - -[ - ![Configure Network IP Address](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-IP-Address.png) -][16] - -Configure Network IP Address - -12. Finally, the last item you need to configure from this menu is a Security Policy profile. Select and apply the Default security policy and hit on Done to go back to the main menu. - -Review all your installation items and hit on Begin Installation button in order to start the installation process. Once the installation process has been started you cannot revert changes. - -[ - ![Apply Security Policy for RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Apply-Security-Policy-on-RHEL-7.3.png) -][17] - -Apply Security Policy for RHEL 7.3 - -[ - ![Begin Installation of RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Begin-RHEL-7.3-Installation.png) -][18] - -Begin Installation of RHEL 7.3 - -13. During the installation process the User Settings screen will appear on your monitor. First, hit on Root Password item and choose a strong password for the root account. - -[ - ![Configure User Settings](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-User-Settings.png) -][19] - -Configure User Settings - -[ - ![Set Root Account Password](http://www.tecmint.com/wp-content/uploads/2016/12/Set-Root-Account-Password.png) -][20] - -Set Root Account Password - -14. Finally, create a new user and grant the user with root privileges by checking Make this user administrator. Choose a strong password for this user, hit on Done button to return to the User Settings menu and wait for the installation process to finish. - -[ - ![Create New User Account](http://www.tecmint.com/wp-content/uploads/2016/12/Create-New-User-Account.png) -][21] - -Create New User Account - -[ - ![RHEL 7.3 Installation Process](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Process.png) -][22] - -RHEL 7.3 Installation Process - -15. After the installation process finishes with success, eject the DVD/USB key from the appropriate drive and reboot the machine. - -[ - ![RHEL 7.3 Installation Complete](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Complete.png) -][23] - -RHEL 7.3 Installation Complete - -[ - ![Booting Up RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Booting.png) -][24] - -Booting Up RHEL 7.3 - -That’s all! In order to further use Red Hat Enterprise Linux, buy a subscription from Red Hat customer portal and [register your RHEL system using subscription-manager][25] command line. - ------------------- - -作者简介: - -Matei Cezar - -![](http://2.gravatar.com/avatar/be16e54026c7429d28490cce41b1e157?s=128&d=blank&r=g) - -I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting. - --------------------------------------------------------------------------------- - -via: http://www.tecmint.com/red-hat-enterprise-linux-7-3-installation-guide/ - -作者:[Matei Cezar][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:http://www.tecmint.com/author/cezarmatei/ -[1]:https://access.redhat.com/downloads -[2]:http://www.tecmint.com/centos-7-3-installation-guide/ -[3]:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.3_Release_Notes/chap-Red_Hat_Enterprise_Linux-7.3_Release_Notes-Overview.html -[4]:https://rufus.akeo.ie/ -[5]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Boot-Menu.jpg -[6]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Language.png -[7]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Summary.png -[8]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Date-and-Time.png -[9]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Keyboard-Layout.png -[10]:http://www.tecmint.com/wp-content/uploads/2016/12/Choose-Language-Support.png -[11]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Software-Selection.png -[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-Server-with-GUI-on-RHEL-7.3.png -[13]:http://www.tecmint.com/wp-content/uploads/2016/12/Choose-RHEL-7.3-Installation-Drive.png -[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Disable-Kdump-Feature.png -[15]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-Hostname.png -[16]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-IP-Address.png -[17]:http://www.tecmint.com/wp-content/uploads/2016/12/Apply-Security-Policy-on-RHEL-7.3.png -[18]:http://www.tecmint.com/wp-content/uploads/2016/12/Begin-RHEL-7.3-Installation.png -[19]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-User-Settings.png -[20]:http://www.tecmint.com/wp-content/uploads/2016/12/Set-Root-Account-Password.png -[21]:http://www.tecmint.com/wp-content/uploads/2016/12/Create-New-User-Account.png -[22]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Process.png -[23]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Complete.png -[24]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Booting.png -[25]:http://www.tecmint.com/enable-redhat-subscription-reposiories-and-updates-for-rhel-7/ From 145c9af8a2cf02d4474eba97574be89cb59e7972 Mon Sep 17 00:00:00 2001 From: "Fuliang.Li" Date: Tue, 27 Dec 2016 00:02:30 +0800 Subject: [PATCH 011/181] =?UTF-8?q?[=E5=AE=8C=E6=88=90=E7=BF=BB=E8=AF=91]?= =?UTF-8?q?=20Installation=20of=20Red=20Hat=20Enterprise=20Linux=207.3=20G?= =?UTF-8?q?uide?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RHEL (Red Hat Enterprise Linux,红帽企业级 Linux) 7.3 安装指南 --- ...n of Red Hat Enterprise Linux 7.3 Guide.md | 217 ++++++++++++++++++ 1 file changed, 217 insertions(+) create mode 100644 translated/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md diff --git a/translated/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md b/translated/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md new file mode 100644 index 0000000000..d064b2460e --- /dev/null +++ b/translated/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md @@ -0,0 +1,217 @@ +RHEL (Red Hat Enterprise Linux,红帽企业级 Linux) 7.3 安装指南 +===== + +RHEL 是红帽公司开发维护的开源 Linux 发行版,可以运行在所有的主流 CPU 架构中。一般来说,多数的 Linux 发行版都可以免费下载、安装和使用,但对于 RHEL,只有在购买了订阅之后,你才能下载和使用,否则只能获取到试用期为 30 天的评估版。 + +本文会告诉你如何在你的机器上安装最新的 RHEL 7.3,当然了,使用的是期限 30 天的评估版 ISO 镜像,自行到 [https://access.redhat.com/downloads][1] 下载。 + +如果你更喜欢使用 CentOS,请移步 [CentOS 7.3 安装指南][2]。 + +欲了解 RHEL 7.3 的新特性,请参考 [版本更新日志][3]. + +#### 先决条件 + +本次安装是在支持 UEFI 的虚拟机固件上进行的。为了完成安装,你首先需要进入主板的 EFI 固件更改启动顺序为已刻录好 ISO 镜像的对应设备(DVD 或者 U 盘)。 + +如果是通过 USB 媒介来安装,你需要确保这个可以启动的 USB 设备是用支持 UEFI 兼容的工具来创建的,比如 [Rufus][4],它能将你的 USB 设备设置为 UEFI 固件所需要的 GPT 分区方案。 + +为了进入主板的 UEFI 固件设置面板,你需要在电脑初始化 POST (Power on Self Test,通电自检) 的时候按下一个特殊键。 + +关于该设置需要用到特殊键,你可以向主板厂商进行咨询获取。通常来说,在笔记本上,可能是这些键:F2、F9、F10、F11 或者 F12,也可能是 Fn 与这些键的组合。 + +此外,更改 UEFI 启动顺序前,你要确保快速启动选项 (QuickBoot/FastBoot) 和 安全启动选项 (Secure Boot) 处于关闭状态,这样才能在 EFI 固件中运行 RHEL。 + +有一些 UEFI 固件主板模型有这样一个选项,它让你能够以传统的 BIOS 或者 EFI CSM (Compatibility Support Module,兼容支持模块) 两种模式来安装操作系统,其中 CSM 是主板固件中一个用来模拟 BIOS 环境的模块。这种类型的安装需要 U 盘以 MBR 而非 GPT 来进行分区。 + +此外,一旦你在含有两种模式的 UEFI 机器中成功安装好 RHEL 或者类似的 OS,那么安装好的系统就必须和你安装时使用的模式来运行。 + +而且,你也不能够从 UEFI 模式变更到传统的 BIOS 模式,反之亦然。强行变更这两种模式会让你的系统变得不稳定、无法启动,同时还需要重新安装系统。 + +### RHEL 7.3 安装指南 + +1. 首先,下载并使用合适的工具刻录 RHEL 7.3 ISO 镜像到 DVD 或者创建一个可启动的 U 盘。 + + 给机器加电启动,把 DVD/U 盘反正合适驱动器中并按下特定的启动键变得更启动顺序来启动安装介质。 + + 探测到安装介质之后,它会启动到 RHEL grub 菜单。选择 Install red hat Enterprise Linux 7.3 并按 [Enter] 继续。 + + [![RHEL 7.3 Boot Menu](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Boot-Menu.jpg)][5] + + RHEL 7.3 启动菜单 + +2. 之后屏幕就会显示 RHEL 7.3 欢迎界面。该界面选择安装过程中使用的语言 (LCTT 译注:这里选的只是安装过程中使用的言语,之后的安装中才会进行最终使用的系统言语环境) ,然后 [Enter] 到下一界面。 + + [![Select RHEL 7.3 Language](http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Language.png)][6] + + 选择 RHEL 7.3 安装过程使用的言语 + +3. 下一界面中显示的是安装 RHEL 是你需要设置的所有事项的总体概览。首先点击日期和时间 (DATE & TIME) 并再地图中选择你的设备所在区域。 + + 点击最上面的完成 (Done) 按钮来保持你的设置,并进行下一步系统设置。 + + [![RHEL 7.3 Installation Summary](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Summary.png)][7] + + RHEL 7.3 安装概览 + + [![Select RHEL 7.3 Date and Time](http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Date-and-Time.png)][8] + + 选择 RHEL 7.3 日期和时间 + +4. 接下来,就是配置你的键盘布局并再次点击完成 (Done) 按钮返回安装主菜单。 + + [![Configure Keyboard Layout](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Keyboard-Layout.png)][9] + + 配置键盘布局 + +5. 紧接着,选择你使用的语言支持,并点击完成 (Done),然后进行下一步。 + + [![Choose Language Support](http://www.tecmint.com/wp-content/uploads/2016/12/Choose-Language-Support.png)][10] + + 选择语言支持 + +6. 安装源保持默认就好,因为本例中我们使用本地安装 (DVD/USB 镜像),然后选择要安装的软件集。 + + 此处你对基本环境 (base environment) 和附件 (Add-ons) 进行选择。由于 RHEL 常用作 Linux 服务器,最小化安装对于系统管理员来说则是最佳选择。 + + 对于生产环境来说,这也是官方极力推荐的安装方式,因为我们只需要在 OS 中安装极少量软件就好了。 + + 这也意味着高安全性、可伸缩性以及占用极少的磁盘空间。同时,通过购买订阅 (subscription) 或使用 DVD 镜像元,其中列出的的其他环境和附件都是可以在命令行中很容易就可以安装的。 + + [![RHEL 7.3 Software Selection](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Software-Selection.png)][11] + + RHEL 7.3 软件集选择 + +7. 万一你想要安装预定义的基本环境之一,比方说 Web 服务器、文件 & 打印服务器、基本服务器、带 GUI 的可视化主机 & 服务器等,直接点击选择它们,然后在右边的框选择附件,最后点击完成 (Done) 结束这一步操作即可。 + + [![Select Server with GUI on RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Select-Server-with-GUI-on-RHEL-7.3.png)][12] + + 选择 带 GUI 的可视化主机 & 服务器 + +8. 在接下来点击安装目标 (Installation Destination),这个步骤要求你为将要安装的系统进行分区、格式化文件系统并设置挂载点。 + + 最好的做法就是让安装器自动配置硬盘分区,这样会创建 Linux 系统所有需要用到的基本分区 (在 LVM 中 分区 `/boot`、`/boot/efi`、`/(root)` 以及 `swap` ),并格式化为 RHEL 7.3 默认的 XFS 文件系统。 + + 请记住:如果安装进程是从 UEFI 固件中启动的,那么硬盘的分区表则是 GPT 分区方案。否则,如果你以 CSM 或传统 BIOS 来启动,硬盘的分区表则使用老旧的 MBR 分区方案。 + + 假如不喜欢自动分区,你也可以选择配置你的硬盘分区表,手动创建自己需要的分区。 + + 不论如何,本文推荐你选择自动配置分区。最后点击完成 (Done) 继续下一步。 + + [![Choose RHEL 7.3 Installation Drive](http://www.tecmint.com/wp-content/uploads/2016/12/Choose-RHEL-7.3-Installation-Drive.png)][13] + + 选择 RHEL 7.3 的安装硬盘 + +9. 下一步是禁用 Kdump 服务,然后配置网络。 + + [![Disable Kdump Feature](http://www.tecmint.com/wp-content/uploads/2016/12/Disable-Kdump-Feature.png)][14] + + 禁用 Kdump 特性 + +10. 在网络和主机名称中,设置你机器使用的主机名和一个描述性名称,同时拖动 Ethernet 开关按钮到 `ON` 来启用网络。 + + 如果你在自己的网络中有一个 DHCP 服务器,那么网络 IP 设置会自动获取和使用。 + + [![Configure Network Hostname](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-Hostname.png)][15] + + 配置网络主机名称 + +11. 如果要为网络接口设置静态 IP,点击配置 (Configure) 按钮,然后手动设置 IP,如下方截图所示。 + + 设置好网络接口的 IP 地址之后,点击保存 (Save) 按钮,最后切换一下网络接口的 `OFF` 和 `ON` 状态已应用刚刚设置的静态 IP。 + + 最后,点击完成 (Done) 按钮返回到安装设置主界面。 + + [![Configure Network IP Address](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-IP-Address.png)][16] + + 配置网络 IP 地址 + +12. 最后,在安装配置主界面需要你配置的最后一项就是安全策略配置文件了。选择并应用默认的安全策略,然后点击完成 (Done) 返回主界面。 + + 回顾所有的安装设置项并点击开始安装 (Begin Installation) 按钮来启动安装进程,这个进程启动之后,你就没有办法停止它了。 + + [![Apply Security Policy for RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Apply-Security-Policy-on-RHEL-7.3.png)][17] + + 为 RHEL 7.3 启用安全策略 + + [![Begin Installation of RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Begin-RHEL-7.3-Installation.png)][18] + + 开始安装 RHEL 7.3 + +13. 在安装进程中,你的显示器会出现用户设置 (User Settings)。首先点击 Root 密码 (Root Password) 为 root 账户设置一个高强度密码。 + + [![Configure User Settings](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-User-Settings.png)][19] + + 配置用户选项 + + [![Set Root Account Password](http://www.tecmint.com/wp-content/uploads/2016/12/Set-Root-Account-Password.png)][20] + + 设置 Root 账户密码 + +14. 最后,创建一个新用户,通过选中使该用户成为管理员 (Make this user administrator) 为新建的用户授权 root 权限。同时还要为这个账户设置一个高强度密码,点击完成 (Done) 返回用户设置菜单,就可以等待安装进程完成了。 + + [![Create New User Account](http://www.tecmint.com/wp-content/uploads/2016/12/Create-New-User-Account.png][21] + + 创建新用户账户 + + [![RHEL 7.3 Installation Process](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Process.png)][22] + + RHEL 7.3 安装进程 + +15. 安装进程介绍并成功安装后,弹出 DVD/USB 设备,重启机器。 + + [![RHEL 7.3 Installation Complete](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Complete.png)][23] + + RHEL 7.3 安装完成 + + [![Booting Up RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Booting.png)][24] + + 启动 RHEL 7.3 + + 至此,安装完成。为了后期一直使用 RHEL,你需要从 Red Hat 消费者门户购买一个订阅,然后在命令行 [使用订阅管理器来注册你的 RHEL 系统][25]。 + +------------------ + +作者简介: + +Matei Cezar + +![](http://2.gravatar.com/avatar/be16e54026c7429d28490cce41b1e157?s=128&d=blank&r=g) + +我是一个终日沉溺于电脑的家伙,对开源的 Linux 软件非常着迷,有着 4 年 Linux 桌面发行版、服务器和 bash 编程经验。 + +--------------------------------------------------------------------- + +via: http://www.tecmint.com/red-hat-enterprise-linux-7-3-installation-guide/ + +作者:[Matei Cezar][a] +译者:[GHLandy](https://github.com/GHLandy) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/cezarmatei/ +[1]:https://access.redhat.com/downloads +[2]:https://linux.cn/article-8048-1.html +[3]:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.3_Release_Notes/chap-Red_Hat_Enterprise_Linux-7.3_Release_Notes-Overview.html +[4]:https://rufus.akeo.ie/ +[5]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Boot-Menu.jpg +[6]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Language.png +[7]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Summary.png +[8]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Date-and-Time.png +[9]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Keyboard-Layout.png +[10]:http://www.tecmint.com/wp-content/uploads/2016/12/Choose-Language-Support.png +[11]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Software-Selection.png +[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-Server-with-GUI-on-RHEL-7.3.png +[13]:http://www.tecmint.com/wp-content/uploads/2016/12/Choose-RHEL-7.3-Installation-Drive.png +[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Disable-Kdump-Feature.png +[15]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-Hostname.png +[16]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-IP-Address.png +[17]:http://www.tecmint.com/wp-content/uploads/2016/12/Apply-Security-Policy-on-RHEL-7.3.png +[18]:http://www.tecmint.com/wp-content/uploads/2016/12/Begin-RHEL-7.3-Installation.png +[19]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-User-Settings.png +[20]:http://www.tecmint.com/wp-content/uploads/2016/12/Set-Root-Account-Password.png +[21]:http://www.tecmint.com/wp-content/uploads/2016/12/Create-New-User-Account.png +[22]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Process.png +[23]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Complete.png +[24]:http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Booting.png +[25]:http://www.tecmint.com/enable-redhat-subscription-reposiories-and-updates-for-rhel-7/ From 22088df1b67bad3d99e9176a24e870fdebf0040e Mon Sep 17 00:00:00 2001 From: xiaojin Date: Tue, 27 Dec 2016 00:46:02 +0800 Subject: [PATCH 012/181] =?UTF-8?q?Delete=2020161124=20How=20to=20Manage?= =?UTF-8?q?=20Samba4=20AD=20Infrastructure=20from=20Linux=20Command=20Line?= =?UTF-8?q?=20=E2=80=93=20Part=202.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 删除原文 --- ...ucture from Linux Command Line – Part 2.md | 382 ------------------ 1 file changed, 382 deletions(-) delete mode 100644 sources/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md diff --git a/sources/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md b/sources/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md deleted file mode 100644 index 7bedb54890..0000000000 --- a/sources/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md +++ /dev/null @@ -1,382 +0,0 @@ -#rusking translating - -How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2 -============================================================ - -This tutorial will cover [some basic daily commands][2] you need to use in order to manage Samba4 AD Domain Controller infrastructure, such as adding, removing, disabling or listing users and groups. - -We’ll also take a look on how to manage domain security policy and how to bind AD users to local PAM authentication in order for AD users to be able to perform local logins on Linux Domain Controller. - -#### Requirements - -1. [Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1][1] - -### Step 1: Manage Samba AD DC from Command Line - -1. Samba AD DC can be managed through samba-tool command line utility which offers a great interface for administrating your domain. - -With the help of samba-tool interface you can directly manage domain users and groups, domain Group Policy, domain sites, DNS services, domain replication and other critical domain functions. - -To review the entire functionality of samba-tool just type the command with root privileges without any option or parameter. - -``` -# samba-tool -h -``` -[ - ![samba-tool - Manage Samba Administration Tool](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Administration-Tool.png) -][3] - -samba-tool – Manage Samba Administration Tool - -2. Now, let’s start using samba-tool utility to administer Samba4 Active Directory and manage our users. - -In order to create a user on AD use the following command: - -``` -# samba-tool user add your_domain_user -``` - -To add a user with several important fields required by AD, use the following syntax: - -``` ---------- review all options --------- -# samba-tool user add -h -# samba-tool user add your_domain_user --given-name=your_name --surname=your_username --mail-address=your_domain_user@tecmint.lan --login-shell=/bin/bash -``` -[ - ![Create User on Samba AD](http://www.tecmint.com/wp-content/uploads/2016/11/Create-User-on-Samba-AD.png) -][4] - -Create User on Samba AD - -3. A listing of all samba AD domain users can be obtained by issuing the following command: - -``` -# samba-tool user list -``` -[ - ![List Samba AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-AD-Users.png) -][5] - -List Samba AD Users - -4. To delete a samba AD domain user use the below syntax: - -``` -# samba-tool user delete your_domain_user -``` - -5. Reset a samba domain user password by executing the below command: - -``` -# samba-tool user setpassword your_domain_user -``` - -6. In order to disable or enable an samba AD User account use the below command: - -``` -# samba-tool user disable your_domain_user -# samba-tool user enable your_domain_user -``` - -7. Likewise, samba groups can be managed with the following command syntax: - -``` ---------- review all options --------- -# samba-tool group add –h -# samba-tool group add your_domain_group -``` - -8. Delete a samba domain group by issuing the below command: - -``` -# samba-tool group delete your_domain_group -``` - -9. To display all samba domain groups run the following command: - -``` -# samba-tool group list -``` - -10. To list all the samba domain members in a specific group use the command: - -``` -# samba-tool group listmembers "your_domain group" -``` -[ - ![List Samba Domain Members of Group](http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-Domain-Members-of-Group.png) -][6] - -List Samba Domain Members of Group - -11. Adding/Removing a member from a samba domain group can be done by issuing one of the following commands: - -``` -# samba-tool group addmembers your_domain_group your_domain_user -# samba-tool group remove members your_domain_group your_domain_user -``` - -12. As mentioned earlier, samba-tool command line interface can also be used to manage your samba domain policy and security. - -To review your samba domain password settings use the below command: - -``` -# samba-tool domain passwordsettings show -``` -[ - ![Check Samba Domain Password](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Domain-Password.png) -][7] - -Check Samba Domain Password - -13. In order to modify samba domain password policy, such as the password complexity level, password ageing, length, how many old password to remember and other security features required for a Domain Controller use the below screenshot as a guide. - -``` ----------- List all command options ---------- -# samba-tool domain passwordsettings -h -``` -[ - ![Manage Samba Domain Password Settings](http://www.tecmint.com/wp-content/uploads/2016/11/Manage-Samba-Domain-Password-Settings.png) -][8] - -Manage Samba Domain Password Settings - -Never use the password policy rules as illustrated above on a production environment. The above settings are used just for demonstration purposes. - -### Step 2: Samba Local Authentication Using Active Directory Accounts - -14. By default, AD users cannot perform local logins on the Linux system outside Samba AD DCenvironment. - -In order to login on the system with an Active Directory account you need to make the following changes on your Linux system environment and modify Samba4 AD DC. - -First, open samba main configuration file and add the below lines, if missing, as illustrated on the below screenshot. - -``` -$ sudo nano /etc/samba/smb.conf -``` - -Make sure the following statements appear on the configuration file: - -``` -winbind enum users = yes -winbind enum groups = yes -``` -[ - ![Samba Authentication Using Active Directory User Accounts](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Authentication-Using-Active-Directory-Accounts.png) -][9] - -Samba Authentication Using Active Directory User Accounts - -15. After you’ve made the changes, use testparm utility to make sure no errors are found on samba configuration file and restart samba daemons by issuing the below command. - -``` -$ testparm -$ sudo systemctl restart samba-ad-dc.service -``` -[ - ![Check Samba Configuration for Errors](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Configuration-for-Errors.png) -][10] - -Check Samba Configuration for Errors - -16. Next, we need to modify local PAM configuration files in order for Samba4 Active Directory accounts to be able to authenticate and open a session on the local system and create a home directory for users at first login. - -Use the pam-auth-update command to open PAM configuration prompt and make sure you enable all PAM profiles using `[space]` key as illustrated on the below screenshot. - -When finished hit `[Tab]` key to move to Ok and apply changes. - -``` -$ sudo pam-auth-update -``` -[ - ![Configure PAM for Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/11/PAM-Configuration-for-Samba4-AD.png) -][11] - -Configure PAM for Samba4 AD - -[ - ![Enable PAM Authentication Module for Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/Enable-PAM-Authentication-Module-for-Samba4-AD.png) -][12] - -Enable PAM Authentication Module for Samba4 AD Users - -17. Now, open /etc/nsswitch.conf file with a text editor and add winbind statement at the end of the password and group lines as illustrated on the below screenshot. - -``` -$ sudo vi /etc/nsswitch.conf -``` -[ - ![Add Windbind Service Switch for Samba](http://www.tecmint.com/wp-content/uploads/2016/11/Add-Windbind-Service-Switch-for-Samba.png) -][13] - -Add Windbind Service Switch for Samba - -18. Finally, edit /etc/pam.d/common-password file, search for the below line as illustrated on the below screenshot and remove the use_authtok statement. - -This setting assures that Active Directory users can change their password from command line while authenticated in Linux. With this setting on, AD users authenticated locally on Linux cannot change their password from console. - -``` -password [success=1 default=ignore] pam_winbind.so try_first_pass -``` -[ - ![Allow Samba AD Users to Change Passwords](http://www.tecmint.com/wp-content/uploads/2016/11/Allow-Samba-AD-Users-to-Change-Password.png) -][14] - -Allow Samba AD Users to Change Passwords - -Remove use_authtok option each time PAM updates are installed and applied to PAM modules or each time you execute pam-auth-update command. - -19. Samba4 binaries comes with a winbindd daemon built-in and enabled by default. - -For this reason you’re no longer required to separately enable and run winbind daemon provided by winbind package from official Ubuntu repositories. - -In case the old and deprecated winbind service is started on the system make sure you disable it and stop the service by issuing the below commands: - -``` -$ sudo systemctl disable winbind.service -$ sudo systemctl stop winbind.service -``` - -Although, we no longer need to run old winbind daemon, we still need to install Winbind package from repositories in order to install and use wbinfo tool. - -Wbinfo utility can be used to query Active Directory users and groups from winbindd daemon point of view. - -The following commands illustrates how to query AD users and groups using wbinfo. - -``` -$ wbinfo -g -$ wbinfo -u -$ wbinfo -i your_domain_user -``` -[ - ![Check Samba4 AD Information ](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Information-of-Samba4-AD.png) -][15] - -Check Samba4 AD Information - -[ - ![Check Samba4 AD User Info](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Info.png) -][16] - -Check Samba4 AD User Info - -20. Apart from wbinfo utility you can also use getent command line utility to query Active Directory database from Name Service Switch libraries which are represented in /etc/nsswitch.conf file. - -Pipe getent command through a grep filter in order to narrow the results regarding just your AD realm user or group database. - -``` -# getent passwd | grep TECMINT -# getent group | grep TECMINT -``` -[ - ![Get Samba4 AD Details](http://www.tecmint.com/wp-content/uploads/2016/11/Get-Samba4-AD-Details.png) -][17] - -Get Samba4 AD Details - -### Step 3: Login in Linux with an Active Directory User - -21. In order to authenticate on the system with a Samba4 AD user, just use the AD username parameter after `su -` command. - -At the first login a message will be displayed on the console which notifies you that a home directory has been created on `/home/$DOMAIN/` system path with the mane of your AD username. - -Use id command to display extra information about the authenticated user. - -``` -# su - your_ad_user -$ id -$ exit -``` -[ - ![Check Samba4 AD User Authentication on Linux](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Authentication-on-Linux.png) -][18] - -Check Samba4 AD User Authentication on Linux - -22. To change the password for an authenticated AD user type passwd command in console after you have successfully logged into the system. - -``` -$ su - your_ad_user -$ passwd -``` -[ - ![Change Samba4 AD User Password](http://www.tecmint.com/wp-content/uploads/2016/11/Change-Samba4-AD-User-Password.png) -][19] - -Change Samba4 AD User Password - -23. By default, Active Directory users are not granted with root privileges in order to perform administrative tasks on Linux. - -To grant root powers to an AD user you must add the username to the local sudo group by issuing the below command. - -Make sure you enclose the realm, slash and AD username with single ASCII quotes. - -``` -# usermod -aG sudo 'DOMAIN\your_domain_user' -``` - -To test if AD user has root privileges on the local system, login and run a command, such as apt-get update, with sudo permissions. - -``` -# su - tecmint_user -$ sudo apt-get update -``` -[ - ![Grant sudo Permission to Samba4 AD User](http://www.tecmint.com/wp-content/uploads/2016/11/Grant-sudo-Permission-to-Samba4-AD-User.png) -][20] - -Grant sudo Permission to Samba4 AD User - -24. In case you want to add root privileges for all accounts of an Active Directory group, edit /etc/sudoers file using visudo command and add the below line after root privileges line, as illustrated on the below screenshot: - -``` -%DOMAIN\\your_domain\ group ALL=(ALL:ALL) ALL -``` - -Pay attention to sudoers syntax so you don’t break things out. - -Sudoers file doesn’t handles very well the use of ASCII quotation marks, so make sure you use `%` to denote that you’re referring to a group and use a backslash to escape the first slash after the domain name and another backslash to escape spaces if your group name contains spaces (most of AD built-in groups contain spaces by default). Also, write the realm with uppercases. - -[ - ![Give Sudo Access to All Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/Give-Sudo-Access-to-All-Samba4-AD-Users.png) -][21] - -Give Sudo Access to All Samba4 AD Users - -That’s all for now! Managing Samba4 AD infrastructure can be also achieved with several tools from Windows environment, such as ADUC, DNS Manager, GPM or other, which can be obtained by installing RSAT package from Microsoft download page. - -To administer Samba4 AD DC through RSAT utilities, it’s absolutely necessary to join the Windows system into Samba4 Active Directory. This will be the subject of our next tutorial, till then stay tuned to TecMint. - --------------------------------------------------------------------------------- - -via: http://www.tecmint.com/manage-samba4-active-directory-linux-command-line - -作者:[Matei Cezar ][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:http://www.tecmint.com/author/cezarmatei/ -[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ -[2]:http://www.tecmint.com/60-commands-of-linux-a-guide-from-newbies-to-system-administrator/ -[3]:http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Administration-Tool.png -[4]:http://www.tecmint.com/wp-content/uploads/2016/11/Create-User-on-Samba-AD.png -[5]:http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-AD-Users.png -[6]:http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-Domain-Members-of-Group.png -[7]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Domain-Password.png -[8]:http://www.tecmint.com/wp-content/uploads/2016/11/Manage-Samba-Domain-Password-Settings.png -[9]:http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Authentication-Using-Active-Directory-Accounts.png -[10]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Configuration-for-Errors.png -[11]:http://www.tecmint.com/wp-content/uploads/2016/11/PAM-Configuration-for-Samba4-AD.png -[12]:http://www.tecmint.com/wp-content/uploads/2016/11/Enable-PAM-Authentication-Module-for-Samba4-AD.png -[13]:http://www.tecmint.com/wp-content/uploads/2016/11/Add-Windbind-Service-Switch-for-Samba.png -[14]:http://www.tecmint.com/wp-content/uploads/2016/11/Allow-Samba-AD-Users-to-Change-Password.png -[15]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Information-of-Samba4-AD.png -[16]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Info.png -[17]:http://www.tecmint.com/wp-content/uploads/2016/11/Get-Samba4-AD-Details.png -[18]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Authentication-on-Linux.png -[19]:http://www.tecmint.com/wp-content/uploads/2016/11/Change-Samba4-AD-User-Password.png -[20]:http://www.tecmint.com/wp-content/uploads/2016/11/Grant-sudo-Permission-to-Samba4-AD-User.png -[21]:http://www.tecmint.com/wp-content/uploads/2016/11/Give-Sudo-Access-to-All-Samba4-AD-Users.png From 74caff77d0901bc9cec80aee03e67fa6c3f00ac5 Mon Sep 17 00:00:00 2001 From: xiaojin Date: Tue, 27 Dec 2016 00:46:49 +0800 Subject: [PATCH 013/181] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E8=AF=91=E6=96=87=20?= =?UTF-8?q?20161124=20How=20to=20Manage=20Samba4=20AD=20Infrastructure=20f?= =?UTF-8?q?rom=20Linux=20Command=20Line=20=E2=80=93=20Part=202.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 添加译文 --- ...ucture from Linux Command Line – Part 2.md | 377 ++++++++++++++++++ 1 file changed, 377 insertions(+) create mode 100644 translated/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md diff --git a/translated/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md b/translated/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md new file mode 100644 index 0000000000..211852dc84 --- /dev/null +++ b/translated/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md @@ -0,0 +1,377 @@ +How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2 +============================================================ +在 Linux 命令行下管理 Samba4 AD 架构 —— 第 2 节 + +这篇文章包括你管理 Samba4 域控制器架构过程中的[一些常用命令][2],比如添加,移除,禁用或者列出用户及用户组等。 + +我们也会关注一下如何配置域安全策略以及如何把 AD 用户绑定到本地的 PAM 认证中,以实现 AD 用户能够在 Linux 域控制器上进行本地登录。 + +#### 要求 + +1. [在 Ubuntu 16.04系统上,使用 Samba4 创建一个 AD 架构环境 —— 第一节][1] + +### 第一步:在命令行下管理 + +1. 可以通过 samba-tool 命令工具来进行管理,这个工具为域管理工作提供了一个功能强大的管理接口。 + +通过 samba-tool 命令行接口,你可以直接管理域用户及用户组,域组策略,域站点,DNS 服务,域复制关系和其它重要的域功能。 + +使用 root 权限的账号,直接输入 samba-tool 命令,不要加任何参数选项来查看该工具能实现的所有功能。 + +``` +# samba-tool -h +``` +[ + ![samba-tool - Manage Samba Administration Tool](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Administration-Tool.png) +][3] + +samba-tool —— Samba 管理工具 + +2. 现在,咱们开始使用 samba-tool 工具来管理 Samba4 活动目录中的用户。 + +使用如下命令来创建 AD 用户: +``` +# samba-tool user add your_domain_user +``` + +添加一个用户,包括 AD 可选的一些重要属性,如下所示: + +``` +--------- review all options --------- +# samba-tool user add -h +# samba-tool user add your_domain_user --given-name=your_name --surname=your_username --mail-address=your_domain_user@tecmint.lan --login-shell=/bin/bash +``` +[ + ![Create User on Samba AD](http://www.tecmint.com/wp-content/uploads/2016/11/Create-User-on-Samba-AD.png) +][4] + +在 Samba AD 上创建用户 + +3. 可以通过下面的命令来列出所有 Samba AD 域用户: + +``` +# samba-tool user list +``` +[ + ![List Samba AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-AD-Users.png) +][5] + +列出 Samba AD 用户信息 + +4. 使用下面的命令来删除 sambas AD 域用户: + +``` +# samba-tool user delete your_domain_user +``` + +5. 重置 Samba 域用户的密码: + +``` +# samba-tool user setpassword your_domain_user +``` + +6. 启用或禁用 Samba 域用户账号 + +``` +# samba-tool user disable your_domain_user +# samba-tool user enable your_domain_user +``` + +7. 同样地,可以使用下面的方法来管理 samba 用户组: +8.  +``` +--------- review all options --------- +# samba-tool group add –h +# samba-tool group add your_domain_group +``` + +8. 删除 samba 域用户组: + +``` +# samba-tool group delete your_domain_group +``` + +9. 显示所有的 samba 域用户组信息: +10.  +``` +# samba-tool group list +``` + +10. 列出指定组下的 samba 域用户: + +``` +# samba-tool group listmembers "your_domain group" +``` +[ + ![List Samba Domain Members of Group](http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-Domain-Members-of-Group.png) +][6] + +列出 Samba 域用户组 + +11. 从 samba 域组中添加或删除某一用户: + +``` +# samba-tool group addmembers your_domain_group your_domain_user +# samba-tool group remove members your_domain_group your_domain_user +``` + +12. 如上面所提到的, samba-tool 命令行工具也可以用于管理 samba 域策略及安全。 + +查看 samba 域密码设置: + +``` +# samba-tool domain passwordsettings show +``` +[ + ![Check Samba Domain Password](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Domain-Password.png) +][7] + +检查 Samba 域密码 + +13. 为了修改 samba 域密码策略,比如密码复杂度,密码失效时长,密码长度,密码重复次数以及其它域控制器要求的安全策略等,可参照如下命令来完成: +``` +---------- List all command options ---------- +# samba-tool domain passwordsettings -h +``` +[ + ![Manage Samba Domain Password Settings](http://www.tecmint.com/wp-content/uploads/2016/11/Manage-Samba-Domain-Password-Settings.png) +][8] + +管理 Samba 域密码策略 + +不要把上图中的密码策略规则用于生产环境中。上面的策略仅仅是用于演示目的。 + +### 第二步:使用活动目录账号来完成 Samba 本地认证。 + +14. 默认情况下,离开 Samba AD DC 环境,AD 用户不能从本地登录到 Linux 系统。 + +为了让活动目录账号也能登录到系统,你必须在 Linux 系统环境中做如下设置,并且要修改 Samba4 AD DC 配置。 + +首先,打开 Samba 主配置文件,如果以下内容下存在,则添加: + +``` +$ sudo nano /etc/samba/smb.conf +``` + +确保以下参数出现在配置文件中: + +``` +winbind enum users = yes +winbind enum groups = yes +``` +[ + ![Samba Authentication Using Active Directory User Accounts](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Authentication-Using-Active-Directory-Accounts.png) +][9] + +Samba 通过活动目录用户账号来进行认证 + +15. 修改之后,使用 testparm 工具来验证配置文件没有错误,然后通过如下命令来重启 samba 服务: + +``` +$ testparm +$ sudo systemctl restart samba-ad-dc.service +``` +[ + ![Check Samba Configuration for Errors](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Configuration-for-Errors.png) +][10] + +检查 Samba 配置文件是否报错 + +16. 下一步,我们需要修改本地 PAM 配置文件,以让 Samba4 活动目录账号能够完成本地认证,开启会话,并且在第一次登录系统时创建一个用户目录。 + +使用 pam-auth-update 命令来打开 PAM 配置提示界面,确保所有的 PAM 选项都已经使用 `[space]` 键来启用,如下图所示: + +完成之后,按 `[Tab]` 键跳转到 OK ,以应用修改。 + +``` +$ sudo pam-auth-update +``` +[ + ![Configure PAM for Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/11/PAM-Configuration-for-Samba4-AD.png) +][11] + +为 Samba4 AD 配置 PAM 认证 + +[ + ![Enable PAM Authentication Module for Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/Enable-PAM-Authentication-Module-for-Samba4-AD.png) +][12] + +为 Samba4 AD 用户启用 PAM认证模块 + +17. 现在,使用文本编辑器打开 /etc/nsswitch.conf 配置文件,在 passwd 和 group 参数的最后面添加 winbind参数如下图所示: + +``` +$ sudo vi /etc/nsswitch.conf +``` +[ + ![Add Windbind Service Switch for Samba](http://www.tecmint.com/wp-content/uploads/2016/11/Add-Windbind-Service-Switch-for-Samba.png) +][13] + +为 Samba 服务添加 Winbind Service Switch 设置 + +18. 最后,编辑 /etc/pam.d/common-password 文件,查找下图所示行并删除 user_authtok 参数。 + +该设置确保活动目录用户在通过 Linux 系统本地认证后,可以在命令行下修改他们的密码。加上这个参数之后, 本地认证的 AD 用户在控制台下不能修改他们的密码。 + +``` +password [success=1 default=ignore] pam_winbind.so try_first_pass +``` +[ + ![Allow Samba AD Users to Change Passwords](http://www.tecmint.com/wp-content/uploads/2016/11/Allow-Samba-AD-Users-to-Change-Password.png) +][14] + +允许 Samba AD 用户修改密码 + +在每次 PAM 更新安装完成并应用到 PAM 模块,或者你每次执行 pam-auth-update 命令后,你都需要删除 use_authton 选项。 + +19. Samba4 的二进制文件会生成一个内建的 windindd 进程,并且默认是启用的。 + +因此,你没必要再次去启用并运行 Ubuntu 系统官方自带的 winbind 服务。 + +为了防止系统里原来已废弃的 winbind 服务被启动,确保执行以下命令来禁用并停止原来的 winbind 服务。 + +``` +$ sudo systemctl disable winbind.service +$ sudo systemctl stop winbind.service +``` + +并且,我们也没必要再运行原有的 winbind 进程,但是为了安装并使用 wbinfo 工具,我们还得从系统软件库中安装 Winbind 包。 + +Wbinf 工具可以用来从 winbindd 进程侧来查询活动目录用户和组。 + +以下命令显示了使用 wbinfo 命令如何查询 AD 用户及组信息。 + +``` +$ wbinfo -g +$ wbinfo -u +$ wbinfo -i your_domain_user +``` +[ + ![Check Samba4 AD Information ](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Information-of-Samba4-AD.png) +][15] + +检查 Samba4 AD 信息 +[ + ![Check Samba4 AD User Info](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Info.png) +][16] + +检查 Samba4 AD 用户信息 + +20. 除了 wbinfo 工具外,你也可以使用 getent 命令行工具从 Name Service Switch 库中查询活动目录信息库,在 /etc/nsswitch.conf 配置文件中有相关描述内容。 + +getent 命令使用管道符及 grep 选项来过滤结果集,以获取信息库中 AD 域用户及组信息。 + +``` +# getent passwd | grep TECMINT +# getent group | grep TECMINT +``` +[ + ![Get Samba4 AD Details](http://www.tecmint.com/wp-content/uploads/2016/11/Get-Samba4-AD-Details.png) +][17] + +查看 Samba4 AD 详细信息 + +### 第三步:使用活动目录账号登录 Linux 系统 + +21. 为了使用 Samba4 AD 用户登录系统,使用 `su -` 命令切换到 AD 用户账号即可。 + +第一次登录系统后,控制台会有信息提示用户的 home 目录已创建完成,系统路径为 `/home/$DOMAIN/` ,名字为用户的 AD 账号名。 + +使用 id 命令来查询其它已登录的用户信息。 + +``` +# su - your_ad_user +$ id +$ exit +``` +[ + ![Check Samba4 AD User Authentication on Linux](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Authentication-on-Linux.png) +][18] + +检查 Linux 下 Samba4 AD 用户认证结果 + +22. 当你成功登入系统后,在控制台下输入 passwd 命令来修改已登录的 AD 用户密码。 + +``` +$ su - your_ad_user +$ passwd +``` +[ + ![Change Samba4 AD User Password](http://www.tecmint.com/wp-content/uploads/2016/11/Change-Samba4-AD-User-Password.png) +][19] + +修改 Samba4 AD 用户密码 + +23. 默认情况下,为了完成 Linux 系统的管理性工作,活动目录用户没有 root 账号权限。 + +要授予 AD 用户 root 权限,你必须把用户名添加到本地 sudo 组中,可使用如下命令完成。 + +确保你已输入域,斜杠和 AD 用户名,并且使用英文单引号括起来,如下所示: + +``` +# usermod -aG sudo 'DOMAIN\your_domain_user' +``` + +要检查 AD 用户在本地系统上是否有 root 权限,登录后执行一个命令,比如,使用 sudo 权限执行 apt-get update 命令。 + +``` +# su - tecmint_user +$ sudo apt-get update +``` +[ + ![Grant sudo Permission to Samba4 AD User](http://www.tecmint.com/wp-content/uploads/2016/11/Grant-sudo-Permission-to-Samba4-AD-User.png) +][20] + +授予 Samba4 AD 用户 sudo 权限 + +24. 如果你想把活动目录组中的所有账号都授予 root 权限,使用 visudo 命令来编辑 /etc/sudoers 配置文件,在 root 权限那一行添加如下内容: + +``` +%DOMAIN\\your_domain\ group ALL=(ALL:ALL) ALL +``` + +注意 sudoers 这个单词不要分开写。 + +Sudoers 配置文件对于 ASCII 字符处理的不是很好,因此务必使用 '%' 来标识用户组,使用反斜杠来转义域名后的第一个斜杠,如果你的组名中包含空格(大多数 AD 内建组默认情况下包含空格)使用另外一个反斜杠来转义空格。并且域的名称要大写。 + +[ + ![Give Sudo Access to All Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/Give-Sudo-Access-to-All-Samba4-AD-Users.png) +][21] + +授予所有 Samba4 用户 sudo 权限 + +好了,差不多就这些了!管理 Samba4 AD 架构也可以使用 Windows 环境中的其它几个工具,比如 ADUC,DNS 管理器, GPM 等等,这些工具可以通过安装从 Microsoft 官网下载的 RSAT 软件包来获得。 + +要通过 RSAT 工具来管理 Samba4 AD DC ,你必须要把 Windows 系统加入到 Samba4 活动目录。这将是我们下一篇文章的重点,在这之前,多关注 TechMint 网站内容。 +-------------------------------------------------------------------------------- + +via: http://www.tecmint.com/manage-samba4-active-directory-linux-command-line + +作者:[Matei Cezar ][a] +译者:[rusking](https://github.com/rusking) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/cezarmatei/ +[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ +[2]:http://www.tecmint.com/60-commands-of-linux-a-guide-from-newbies-to-system-administrator/ +[3]:http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Administration-Tool.png +[4]:http://www.tecmint.com/wp-content/uploads/2016/11/Create-User-on-Samba-AD.png +[5]:http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-AD-Users.png +[6]:http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-Domain-Members-of-Group.png +[7]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Domain-Password.png +[8]:http://www.tecmint.com/wp-content/uploads/2016/11/Manage-Samba-Domain-Password-Settings.png +[9]:http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Authentication-Using-Active-Directory-Accounts.png +[10]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Configuration-for-Errors.png +[11]:http://www.tecmint.com/wp-content/uploads/2016/11/PAM-Configuration-for-Samba4-AD.png +[12]:http://www.tecmint.com/wp-content/uploads/2016/11/Enable-PAM-Authentication-Module-for-Samba4-AD.png +[13]:http://www.tecmint.com/wp-content/uploads/2016/11/Add-Windbind-Service-Switch-for-Samba.png +[14]:http://www.tecmint.com/wp-content/uploads/2016/11/Allow-Samba-AD-Users-to-Change-Password.png +[15]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Information-of-Samba4-AD.png +[16]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Info.png +[17]:http://www.tecmint.com/wp-content/uploads/2016/11/Get-Samba4-AD-Details.png +[18]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Authentication-on-Linux.png +[19]:http://www.tecmint.com/wp-content/uploads/2016/11/Change-Samba4-AD-User-Password.png +[20]:http://www.tecmint.com/wp-content/uploads/2016/11/Grant-sudo-Permission-to-Samba4-AD-User.png +[21]:http://www.tecmint.com/wp-content/uploads/2016/11/Give-Sudo-Access-to-All-Samba4-AD-Users.png From cbddc5f66e4510fc1909aa716d7b8629c541e599 Mon Sep 17 00:00:00 2001 From: geekpi Date: Tue, 27 Dec 2016 09:08:59 +0800 Subject: [PATCH 014/181] translating --- sources/tech/LXD/Part 4 - LXD 2.0--Resource control.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/LXD/Part 4 - LXD 2.0--Resource control.md b/sources/tech/LXD/Part 4 - LXD 2.0--Resource control.md index e5e5484481..edfdaf4f99 100644 --- a/sources/tech/LXD/Part 4 - LXD 2.0--Resource control.md +++ b/sources/tech/LXD/Part 4 - LXD 2.0--Resource control.md @@ -1,3 +1,5 @@ +translating---geekpi + Part 4 - LXD 2.0: Resource control ====================================== From 22788d111b0584b5e5fa43f05f942ec715b8aa91 Mon Sep 17 00:00:00 2001 From: wxy Date: Tue, 27 Dec 2016 09:56:22 +0800 Subject: [PATCH 015/181] PROOF:20161215 Installation of Red Hat Enterprise Linux 7.3 Guide MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @GHLandy 辛苦了,还专门仿 CentOS 那篇留下了中英文对照,让我省了不少事情。 --- ...n of Red Hat Enterprise Linux 7.3 Guide.md | 154 +++++++++--------- 1 file changed, 76 insertions(+), 78 deletions(-) diff --git a/translated/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md b/translated/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md index d064b2460e..a7ce41e027 100644 --- a/translated/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md +++ b/translated/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md @@ -1,19 +1,19 @@ RHEL (Red Hat Enterprise Linux,红帽企业级 Linux) 7.3 安装指南 ===== -RHEL 是红帽公司开发维护的开源 Linux 发行版,可以运行在所有的主流 CPU 架构中。一般来说,多数的 Linux 发行版都可以免费下载、安装和使用,但对于 RHEL,只有在购买了订阅之后,你才能下载和使用,否则只能获取到试用期为 30 天的评估版。 +RHEL 是由红帽公司开发维护的开源 Linux 发行版,可以运行在所有的主流 CPU 架构中。一般来说,多数的 Linux 发行版都可以免费下载、安装和使用,但对于 RHEL,只有在购买了订阅之后,你才能下载和使用,否则只能获取到试用期为 30 天的评估版。 -本文会告诉你如何在你的机器上安装最新的 RHEL 7.3,当然了,使用的是期限 30 天的评估版 ISO 镜像,自行到 [https://access.redhat.com/downloads][1] 下载。 +本文会告诉你如何在你的机器上安装最新的 RHEL 7.3,当然了,使用的是期限 30 天的评估版 ISO 镜像,请自行到 [https://access.redhat.com/downloads][1] 下载。 如果你更喜欢使用 CentOS,请移步 [CentOS 7.3 安装指南][2]。 -欲了解 RHEL 7.3 的新特性,请参考 [版本更新日志][3]. +欲了解 RHEL 7.3 的新特性,请参考 [版本更新日志][3]。 #### 先决条件 本次安装是在支持 UEFI 的虚拟机固件上进行的。为了完成安装,你首先需要进入主板的 EFI 固件更改启动顺序为已刻录好 ISO 镜像的对应设备(DVD 或者 U 盘)。 -如果是通过 USB 媒介来安装,你需要确保这个可以启动的 USB 设备是用支持 UEFI 兼容的工具来创建的,比如 [Rufus][4],它能将你的 USB 设备设置为 UEFI 固件所需要的 GPT 分区方案。 +如果是通过 USB 介质来安装,你需要确保这个可以启动的 USB 设备是用支持 UEFI 兼容的工具来创建的,比如 [Rufus][4],它能将你的 USB 设备设置为 UEFI 固件所需要的 GPT 分区方案。 为了进入主板的 UEFI 固件设置面板,你需要在电脑初始化 POST (Power on Self Test,通电自检) 的时候按下一个特殊键。 @@ -21,153 +21,151 @@ RHEL 是红帽公司开发维护的开源 Linux 发行版,可以运行在所 此外,更改 UEFI 启动顺序前,你要确保快速启动选项 (QuickBoot/FastBoot) 和 安全启动选项 (Secure Boot) 处于关闭状态,这样才能在 EFI 固件中运行 RHEL。 -有一些 UEFI 固件主板模型有这样一个选项,它让你能够以传统的 BIOS 或者 EFI CSM (Compatibility Support Module,兼容支持模块) 两种模式来安装操作系统,其中 CSM 是主板固件中一个用来模拟 BIOS 环境的模块。这种类型的安装需要 U 盘以 MBR 而非 GPT 来进行分区。 +有一些 UEFI 固件主板模型有这样一个选项,它让你能够以传统的 BIOS 或者 EFI CSM (Compatibility Support Module,兼容支持模块) 两种模式来安装操作系统,其中 CSM 是主板固件中一个用来模拟 BIOS 环境的模块。这种类型的安装需要 U 盘以 MBR 而非 GPT 来进行分区。 -此外,一旦你在含有两种模式的 UEFI 机器中成功安装好 RHEL 或者类似的 OS,那么安装好的系统就必须和你安装时使用的模式来运行。 - -而且,你也不能够从 UEFI 模式变更到传统的 BIOS 模式,反之亦然。强行变更这两种模式会让你的系统变得不稳定、无法启动,同时还需要重新安装系统。 +此外,一旦在你的 UEFI 机器中以这两种模式之一成功安装好 RHEL 或者类似的 OS,那么安装好的系统就必须以你安装时使用的模式来运行。而且,你也不能够从 UEFI 模式变更到传统的 BIOS 模式,反之亦然。强行变更这两种模式会让你的系统变得不稳定、无法启动,同时还需要重新安装系统。 ### RHEL 7.3 安装指南 -1. 首先,下载并使用合适的工具刻录 RHEL 7.3 ISO 镜像到 DVD 或者创建一个可启动的 U 盘。 +1、 首先,下载并使用合适的工具刻录 RHEL 7.3 ISO 镜像到 DVD 或者创建一个可启动的 U 盘。 - 给机器加电启动,把 DVD/U 盘反正合适驱动器中并按下特定的启动键变得更启动顺序来启动安装介质。 +给机器加电启动,把 DVD/U 盘放入合适驱动器中,并根据你的 UEFI/BIOS 类型,按下特定的启动键变更启动顺序来启动安装介质。 - 探测到安装介质之后,它会启动到 RHEL grub 菜单。选择 Install red hat Enterprise Linux 7.3 并按 [Enter] 继续。 +当安装介质被检测到之后,它会启动到 RHEL 的 grub 菜单。选择“Install red hat Enterprise Linux 7.3” 并按回车继续。 - [![RHEL 7.3 Boot Menu](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Boot-Menu.jpg)][5] +[![RHEL 7.3 Boot Menu](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Boot-Menu.jpg)][5] - RHEL 7.3 启动菜单 +*RHEL 7.3 启动菜单* -2. 之后屏幕就会显示 RHEL 7.3 欢迎界面。该界面选择安装过程中使用的语言 (LCTT 译注:这里选的只是安装过程中使用的言语,之后的安装中才会进行最终使用的系统言语环境) ,然后 [Enter] 到下一界面。 +2、 之后屏幕就会显示 RHEL 7.3 欢迎界面。该界面选择安装过程中使用的语言 (LCTT 译注:这里选的只是安装过程中使用的语言,之后的安装中才会进行最终使用的系统语言环境) ,然后按回车到下一界面。 - [![Select RHEL 7.3 Language](http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Language.png)][6] +[![Select RHEL 7.3 Language](http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Language.png)][6] - 选择 RHEL 7.3 安装过程使用的言语 +*选择 RHEL 7.3 安装过程使用的语言* -3. 下一界面中显示的是安装 RHEL 是你需要设置的所有事项的总体概览。首先点击日期和时间 (DATE & TIME) 并再地图中选择你的设备所在区域。 +3、 下一界面中显示的是安装 RHEL 时你需要设置的所有事项的总体概览。首先点击日期和时间 (DATE & TIME) 并在地图中选择你的设备所在地区。 - 点击最上面的完成 (Done) 按钮来保持你的设置,并进行下一步系统设置。 +点击最上面的完成 (Done) 按钮来保持你的设置,并进行下一步系统设置。 - [![RHEL 7.3 Installation Summary](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Summary.png)][7] +[![RHEL 7.3 Installation Summary](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Summary.png)][7] - RHEL 7.3 安装概览 +*RHEL 7.3 安装概览* - [![Select RHEL 7.3 Date and Time](http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Date-and-Time.png)][8] +[![Select RHEL 7.3 Date and Time](http://www.tecmint.com/wp-content/uploads/2016/12/Select-RHEL-7.3-Date-and-Time.png)][8] - 选择 RHEL 7.3 日期和时间 +*选择 RHEL 7.3 日期和时间* -4. 接下来,就是配置你的键盘布局并再次点击完成 (Done) 按钮返回安装主菜单。 +4、 接下来,就是配置你的键盘(keyboard)布局并再次点击完成 (Done) 按钮返回安装主菜单。 [![Configure Keyboard Layout](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Keyboard-Layout.png)][9] - 配置键盘布局 +*配置键盘布局* -5. 紧接着,选择你使用的语言支持,并点击完成 (Done),然后进行下一步。 +5、 紧接着,选择你使用的语言支持(language support),并点击完成 (Done),然后进行下一步。 - [![Choose Language Support](http://www.tecmint.com/wp-content/uploads/2016/12/Choose-Language-Support.png)][10] +[![Choose Language Support](http://www.tecmint.com/wp-content/uploads/2016/12/Choose-Language-Support.png)][10] - 选择语言支持 +*选择语言支持* -6. 安装源保持默认就好,因为本例中我们使用本地安装 (DVD/USB 镜像),然后选择要安装的软件集。 +6、 安装源(Installation Source)保持默认就好,因为本例中我们使用本地安装 (DVD/USB 镜像),然后选择要安装的软件集(Software Selection)。 - 此处你对基本环境 (base environment) 和附件 (Add-ons) 进行选择。由于 RHEL 常用作 Linux 服务器,最小化安装对于系统管理员来说则是最佳选择。 +此处你可以选择基本环境 (base environment) 和附件 (Add-ons) 。由于 RHEL 常用作 Linux 服务器,最小化安装(Minimal Installation)对于系统管理员来说则是最佳选择。 - 对于生产环境来说,这也是官方极力推荐的安装方式,因为我们只需要在 OS 中安装极少量软件就好了。 +对于生产环境来说,这也是官方极力推荐的安装方式,因为我们只需要在 OS 中安装极少量软件就好了。 - 这也意味着高安全性、可伸缩性以及占用极少的磁盘空间。同时,通过购买订阅 (subscription) 或使用 DVD 镜像元,其中列出的的其他环境和附件都是可以在命令行中很容易就可以安装的。 +这也意味着高安全性、可伸缩性以及占用极少的磁盘空间。同时,通过购买订阅 (subscription) 或使用 DVD 镜像源,这里列出的的其它环境和附件都是可以在命令行中很容易地安装。 - [![RHEL 7.3 Software Selection](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Software-Selection.png)][11] +[![RHEL 7.3 Software Selection](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Software-Selection.png)][11] - RHEL 7.3 软件集选择 +*RHEL 7.3 软件集选择* -7. 万一你想要安装预定义的基本环境之一,比方说 Web 服务器、文件 & 打印服务器、基本服务器、带 GUI 的可视化主机 & 服务器等,直接点击选择它们,然后在右边的框选择附件,最后点击完成 (Done) 结束这一步操作即可。 +7、 万一你想要安装预定义的基本环境之一,比方说 Web 服务器、文件 & 打印服务器、架构服务器、虚拟化主机、带 GUI 的服务器等,直接点击选择它们,然后在右边的框选择附件,最后点击完成 (Done) 结束这一步操作即可。 - [![Select Server with GUI on RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Select-Server-with-GUI-on-RHEL-7.3.png)][12] +[![Select Server with GUI on RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Select-Server-with-GUI-on-RHEL-7.3.png)][12] - 选择 带 GUI 的可视化主机 & 服务器 +*选择带 GUI 的服务器* -8. 在接下来点击安装目标 (Installation Destination),这个步骤要求你为将要安装的系统进行分区、格式化文件系统并设置挂载点。 +8、 在接下来点击安装目标 (Installation Destination),这个步骤要求你为将要安装的系统进行分区、格式化文件系统并设置挂载点。 - 最好的做法就是让安装器自动配置硬盘分区,这样会创建 Linux 系统所有需要用到的基本分区 (在 LVM 中 分区 `/boot`、`/boot/efi`、`/(root)` 以及 `swap` ),并格式化为 RHEL 7.3 默认的 XFS 文件系统。 +最安全的做法就是让安装器自动配置硬盘分区,这样会创建 Linux 系统所有需要用到的基本分区 (在 LVM 中创建 `/boot`、`/boot/efi`、`/(root)` 以及 `swap` 等分区),并格式化为 RHEL 7.3 默认的 XFS 文件系统。 - 请记住:如果安装进程是从 UEFI 固件中启动的,那么硬盘的分区表则是 GPT 分区方案。否则,如果你以 CSM 或传统 BIOS 来启动,硬盘的分区表则使用老旧的 MBR 分区方案。 +请记住:如果安装过程是从 UEFI 固件中启动的,那么硬盘的分区表则是 GPT 分区方案。否则,如果你以 CSM 或传统 BIOS 来启动,硬盘的分区表则使用老旧的 MBR 分区方案。 - 假如不喜欢自动分区,你也可以选择配置你的硬盘分区表,手动创建自己需要的分区。 +假如不喜欢自动分区,你也可以选择配置你的硬盘分区表,手动创建自己需要的分区。 - 不论如何,本文推荐你选择自动配置分区。最后点击完成 (Done) 继续下一步。 +不论如何,本文推荐你选择自动配置分区。最后点击完成 (Done) 继续下一步。 - [![Choose RHEL 7.3 Installation Drive](http://www.tecmint.com/wp-content/uploads/2016/12/Choose-RHEL-7.3-Installation-Drive.png)][13] +[![Choose RHEL 7.3 Installation Drive](http://www.tecmint.com/wp-content/uploads/2016/12/Choose-RHEL-7.3-Installation-Drive.png)][13] - 选择 RHEL 7.3 的安装硬盘 +*选择 RHEL 7.3 的安装硬盘* -9. 下一步是禁用 Kdump 服务,然后配置网络。 +9、 下一步是禁用 Kdump 服务,然后配置网络。 - [![Disable Kdump Feature](http://www.tecmint.com/wp-content/uploads/2016/12/Disable-Kdump-Feature.png)][14] +[![Disable Kdump Feature](http://www.tecmint.com/wp-content/uploads/2016/12/Disable-Kdump-Feature.png)][14] - 禁用 Kdump 特性 +*禁用 Kdump 特性* -10. 在网络和主机名称中,设置你机器使用的主机名和一个描述性名称,同时拖动 Ethernet 开关按钮到 `ON` 来启用网络。 +10、 在网络和主机名(Network and Hostname)中,设置你机器使用的主机名和一个描述性名称,同时拖动 Ethernet 开关按钮到 `ON` 来启用网络功能。 - 如果你在自己的网络中有一个 DHCP 服务器,那么网络 IP 设置会自动获取和使用。 +如果你在自己的网络中有一个 DHCP 服务器,那么网络 IP 设置会自动获取和使用。 - [![Configure Network Hostname](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-Hostname.png)][15] +[![Configure Network Hostname](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-Hostname.png)][15] - 配置网络主机名称 +*配置网络主机名称* -11. 如果要为网络接口设置静态 IP,点击配置 (Configure) 按钮,然后手动设置 IP,如下方截图所示。 +11、 如果要为网络接口设置静态 IP,点击配置 (Configure) 按钮,然后手动设置 IP,如下方截图所示。 - 设置好网络接口的 IP 地址之后,点击保存 (Save) 按钮,最后切换一下网络接口的 `OFF` 和 `ON` 状态已应用刚刚设置的静态 IP。 +设置好网络接口的 IP 地址之后,点击保存 (Save) 按钮,最后切换一下网络接口的 `OFF` 和 `ON` 状态已应用刚刚设置的静态 IP。 - 最后,点击完成 (Done) 按钮返回到安装设置主界面。 +最后,点击完成 (Done) 按钮返回到安装设置主界面。 - [![Configure Network IP Address](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-IP-Address.png)][16] +[![Configure Network IP Address](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Network-IP-Address.png)][16] - 配置网络 IP 地址 +*配置网络 IP 地址* -12. 最后,在安装配置主界面需要你配置的最后一项就是安全策略配置文件了。选择并应用默认的安全策略,然后点击完成 (Done) 返回主界面。 +12、 最后,在安装配置主界面需要你配置的最后一项就是安全策略配置(Security Policy)文件了。选择并应用默认的(Default)安全策略,然后点击完成 (Done) 返回主界面。 - 回顾所有的安装设置项并点击开始安装 (Begin Installation) 按钮来启动安装进程,这个进程启动之后,你就没有办法停止它了。 +回顾所有的安装设置项并点击开始安装 (Begin Installation) 按钮来启动安装过程,这个过程启动之后,你就没有办法停止它了。 - [![Apply Security Policy for RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Apply-Security-Policy-on-RHEL-7.3.png)][17] +[![Apply Security Policy for RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Apply-Security-Policy-on-RHEL-7.3.png)][17] - 为 RHEL 7.3 启用安全策略 +*为 RHEL 7.3 启用安全策略* - [![Begin Installation of RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Begin-RHEL-7.3-Installation.png)][18] +[![Begin Installation of RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/Begin-RHEL-7.3-Installation.png)][18] - 开始安装 RHEL 7.3 +*开始安装 RHEL 7.3* -13. 在安装进程中,你的显示器会出现用户设置 (User Settings)。首先点击 Root 密码 (Root Password) 为 root 账户设置一个高强度密码。 +13、 在安装过程中,你的显示器会出现用户设置 (User Settings)。首先点击 Root 密码 (Root Password) 为 root 账户设置一个高强度密码。 - [![Configure User Settings](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-User-Settings.png)][19] +[![Configure User Settings](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-User-Settings.png)][19] - 配置用户选项 +*配置用户选项* - [![Set Root Account Password](http://www.tecmint.com/wp-content/uploads/2016/12/Set-Root-Account-Password.png)][20] +[![Set Root Account Password](http://www.tecmint.com/wp-content/uploads/2016/12/Set-Root-Account-Password.png)][20] - 设置 Root 账户密码 +*设置 Root 账户密码* -14. 最后,创建一个新用户,通过选中使该用户成为管理员 (Make this user administrator) 为新建的用户授权 root 权限。同时还要为这个账户设置一个高强度密码,点击完成 (Done) 返回用户设置菜单,就可以等待安装进程完成了。 +14、 最后,创建一个新用户,通过选中使该用户成为管理员 (Make this user administrator) 为新建的用户授权 root 权限。同时还要为这个账户设置一个高强度密码,点击完成 (Done) 返回用户设置菜单,就可以等待安装过程完成了。 - [![Create New User Account](http://www.tecmint.com/wp-content/uploads/2016/12/Create-New-User-Account.png][21] +[![Create New User Account](http://www.tecmint.com/wp-content/uploads/2016/12/Create-New-User-Account.png)][21] - 创建新用户账户 +*创建新用户账户* - [![RHEL 7.3 Installation Process](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Process.png)][22] +[![RHEL 7.3 Installation Process](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Process.png)][22] - RHEL 7.3 安装进程 +*RHEL 7.3 安装过程* -15. 安装进程介绍并成功安装后,弹出 DVD/USB 设备,重启机器。 +15、 安装过程结束并成功安装后,弹出或拔掉 DVD/USB 设备,重启机器。 - [![RHEL 7.3 Installation Complete](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Complete.png)][23] +[![RHEL 7.3 Installation Complete](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Installation-Complete.png)][23] - RHEL 7.3 安装完成 +*RHEL 7.3 安装完成* - [![Booting Up RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Booting.png)][24] +[![Booting Up RHEL 7.3](http://www.tecmint.com/wp-content/uploads/2016/12/RHEL-7.3-Booting.png)][24] - 启动 RHEL 7.3 +*启动 RHEL 7.3* - 至此,安装完成。为了后期一直使用 RHEL,你需要从 Red Hat 消费者门户购买一个订阅,然后在命令行 [使用订阅管理器来注册你的 RHEL 系统][25]。 +至此,安装完成。为了后期一直使用 RHEL,你需要从 Red Hat 消费者门户购买一个订阅,然后在命令行 [使用订阅管理器来注册你的 RHEL 系统][25]。 ------------------ @@ -185,7 +183,7 @@ via: http://www.tecmint.com/red-hat-enterprise-linux-7-3-installation-guide/ 作者:[Matei Cezar][a] 译者:[GHLandy](https://github.com/GHLandy) -校对:[校对者ID](https://github.com/校对者ID) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From ec5bb46ebdc2d0136b8fb974da11a33fdf7202b5 Mon Sep 17 00:00:00 2001 From: wxy Date: Tue, 27 Dec 2016 09:56:40 +0800 Subject: [PATCH 016/181] PUB:20161215 Installation of Red Hat Enterprise Linux 7.3 Guide @GHLandy --- ...20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md (100%) diff --git a/translated/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md b/published/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md similarity index 100% rename from translated/tech/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md rename to published/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md From d1ef6364d73c5d8711444c6379ce356d56334f78 Mon Sep 17 00:00:00 2001 From: wxy Date: Tue, 27 Dec 2016 11:53:22 +0800 Subject: [PATCH 017/181] PUB:20160505 A daughter of Silicon Valley shares her 'nerd' story @name1e5s --- ... Silicon Valley shares her 'nerd' story.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) rename {translated/talk/my-open-source-story => published}/20160505 A daughter of Silicon Valley shares her 'nerd' story.md (54%) diff --git a/translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md b/published/20160505 A daughter of Silicon Valley shares her 'nerd' story.md similarity index 54% rename from translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md rename to published/20160505 A daughter of Silicon Valley shares her 'nerd' story.md index 2ac7b96567..20fb963c6b 100644 --- a/translated/talk/my-open-source-story/20160505 A daughter of Silicon Valley shares her 'nerd' story.md +++ b/published/20160505 A daughter of Silicon Valley shares her 'nerd' story.md @@ -3,29 +3,29 @@ ![](https://opensource.com/sites/default/files/styles/image-full-size/public/images/life/myopensourcestory.png?itok=6TXlAkFi) -在 2014 年,为了对网上一些关于在科技行业女性稀缺的评论作出回应,我的同事 [Crystal Beasley][1] 倡议在科技/信息安全方面工作的女性在网络上分享自己的“成才之路”。这篇文章就是我的故事。我把我的故事与你们分享是因为我相信榜样的力量,也相信一个人有多种途径,选择一个让自己满意的有挑战性的工作,以及实现目标的人生。 +在 2014 年,为了对网上一些关于在科技行业女性稀缺的评论作出回应,我的同事 [Crystal Beasley][1] 倡议在科技/信息安全方面工作的女性在网络上分享自己的“成才之路”。这篇文章就是我的故事。我把我的故事与你们分享是因为我相信榜样的力量,也相信一个人有多种途径,选择一个让自己满意的有挑战性的工作以及可以实现目标的人生。 ### 和电脑相伴的童年 我可以说是硅谷的女儿。我的故事不是一个从科技业余爱好转向专业的故事,也不是从小就专注于这份事业的故事。这个故事更多的是关于环境如何塑造你 — 通过它的那种已然存在的文化来改变你,如果你想要被改变的话。这不是从小就开始努力并为一个明确的目标而奋斗的故事,我意识到,这其实是享受了一些特权的成长故事。 -我出生在曼哈顿,但是我在新泽西州长大,因为我的爸爸退伍后,在那里的罗格斯大学攻读计算机科学的博士学位。当我四岁时,学校里有人问我爸爸干什么谋生时,我说,“他就是看电视和捕捉小虫子,但是我从没有见过那些小虫子”(译者注:小虫子,bug)。他在家里有一台哑终端,这大概与他在 Bolt Beranek Newman 公司的工作有关,做关于早期互联网人工智能方面的工作。我就在旁边看着。 +我出生在曼哈顿,但是我在新泽西州长大,因为我的爸爸退伍后,在那里的罗格斯大学攻读计算机科学的博士学位。当我四岁时,学校里有人问我爸爸干什么谋生时,我说,“他就是看电视和捕捉小虫子,但是我从没有见过那些小虫子”(LCTT 译注:小虫子,bug)。他在家里有一台哑终端(LCTT 译注:就是那台“电视”),这大概与他在 Bolt Beranek Newman 公司的工作有关,做关于早期互联网人工智能方面的工作。我就在旁边看着。 -我没能玩上父亲的会抓小虫子的电视,但是我很早就接触到了技术领域,我很珍惜这个礼物。提早的熏陶对于一个未来的高手是十分必要的 — 所以,请花时间和你的小孩谈谈你所知道的你做的事情! +我没能玩上父亲的会抓小虫子的电视,但是我很早就接触到了技术领域,我很珍惜这个礼物。提早的熏陶对于一个未来的高手是十分必要的 — 所以,请花时间和你的小孩谈谈你在做的事情! ![](https://opensource.com/sites/default/files/resize/moss-520x433.png) *我父亲的终端和这个很类似 —— 如果不是这个的话 CC BY-SA 4.0* -当我六岁时,我们搬到了加州。父亲在施乐的研究中心找到了一个工作。我记得那时我认为这个城市一定有很多熊,因为在它的旗帜上有一个熊。在1979年,Palo Alto 还是一个大学城,还有果园和开阔地带。 +当我六岁时,我们搬到了加州。父亲在施乐的帕克研究中心(Xerox PARC)找到了一个工作。我记得那时我认为这个城市一定有很多熊,因为在它的旗帜上有一个熊。在1979年,帕洛阿图市还是一个大学城,还有果园和开阔地带。 -在 Palo Alto 的公立学校待了一年之后,我的姐姐和我被送到了“半岛学校”,这个“民主模范”学校对我造成了深刻的影响。在那里,好奇心和创新意识是被高度推崇的,教育也是由学生自己分组讨论决定的。在学校,我们很少能看到叫做电脑的东西,但是在家就不同了。 +在 Palo Alto 的公立学校待了一年之后,我的姐姐和我被送到了“半岛学校”,这个“民主典范”学校对我造成了深刻的影响。在那里,好奇心和创新意识是被高度推崇的,教育也是由学生自己分组讨论决定的。在学校,我们很少能看到叫做电脑的东西,但是在家就不同了。 -在父亲从施乐辞职之后,他就去了 Apple 公司,在那里他工作使用并带回家让我玩的第一批电脑就是:Apple II 和 LISA。我的父亲在最初的 LISA 的研发团队。我直到现在还深刻的记得他让我们一次又一次的“玩鼠标”的场景,因为他想让我的 3 岁大的妹妹对这个东西感到舒服 —— 她也确实那样。 +在父亲从施乐辞职之后,他就去了苹果公司,在那里他工作使用并带回家让我玩的第一批电脑就是:Apple II 和 LISA。我的父亲在最初的 LISA 的研发团队。我直到现在还深刻的记得他让我们一次又一次的“玩”鼠标训练的场景,因为他想让我的 3 岁大的妹妹也能对这个东西觉得好用 —— 她也确实那样。 ![](https://opensource.com/sites/default/files/resize/600px-apple_lisa-520x520.jpg) -*我们的 LISA 看起来就像这样,看到鼠标了吗?CC BY-SA 4.0* +*我们的 LISA 看起来就像这样。谁看到鼠标哪儿去了?CC BY-SA 4.0* 在学校,我的数学的概念学得不错,但是基本计算却惨不忍睹。我的第一个学校的老师告诉我的家长和我,说我的数学很差,还说我很“笨”。虽然我在“常规的”数学项目中表现出色,能理解一个超出 7 岁孩子理解能力的逻辑谜题,但是我不能完成我们每天早上都要做的“练习”。她说我傻,这事我不会忘记。在那之后的十年我都没能相信自己的逻辑能力和算法的水平。**不要低估你对孩子说的话的影响**。 @@ -33,7 +33,7 @@ ### 本科时光 -我想我要成为一个小学教师,我就读米尔斯学院就是想要做这个。但是后来我开始研究女性,后来又研究神学,我这样做仅仅是由于我自己的一个渴求:我希望能理解人类的意志以及为更好的世界而努力。 +我想我要成为一个小学教师,我就读米尔斯学院就是想要做这个。但是后来我开始研究女性学,后来又研究神学,我这样做仅仅是由于我自己的一个渴求:我希望能理解人类的意志以及为更好的世界而努力。 同时,我也感受到了互联网的巨大力量。在 1991 年,拥有你自己的 UNIX 的账户,能够和全世界的人谈话,是很令人兴奋的事。我仅仅从在互联网中“玩”就学到了不少,从那些愿意回答我提出的问题的人那里学到的就更多了。这些学习对我的职业生涯的影响不亚于我在正规学校教育之中学到的知识。所有的信息都是有用的。我在一个女子学院度过了学习的关键时期,那时是一个杰出的女性在掌管计算机院。在那个宽松氛围的学院,我们不仅被允许,还被鼓励去尝试很多的道路(我们能接触到很多很多的科技,还有聪明人愿意帮助我们),我也确实那样做了。我十分感激当年的教育。在那个学院,我也了解了什么是极客文化。 @@ -41,31 +41,31 @@ ### 新的开端 -在 1995 年,我被万维网连接人们以及分享想法和信息的能力所震惊(直到现在仍是如此)。我想要进入这个行业。看起来我好像要“女承父业”,但是我不知道如何开始。我开始在硅谷做临时工,从 Sun Microsystems 公司得到我的第一个“真正”技术职位前尝试做了一些事情(为半导体数据写最基础的数据库,技术手册印发前的事务,备份工资单的存跟)。这些事很让人激动。(毕竟,我们是“.com”中的那个”点“)。 +在 1995 年,我被互联网连接人们以及分享想法和信息的能力所震惊(直到现在仍是如此)。我想要进入这个行业。看起来我好像要“女承父业”,但是我不知道如何开始。我开始在硅谷做临时工,从 Sun 微系统公司得到我的第一个“真正”技术职位前尝试做了一些事情(为半导体数据公司写最基础的数据库,技术手册印发前的事务,备份工资单的存跟)。这些事很让人激动。(毕竟,我们是“.com”中的那个”点“)。 -在 Sun ,我努力学习,尽可能多的尝试新事物。我的第一个工作是网页化 HTMLing(啥?这是一个词!)白皮书,以及为 Beta 程序修改一些基础的服务工具(大多数是Perl写的)。后来我成为 Solaris beta 项目组中的项目经理,并在 Open Solaris 的 Beta 版运行中感受到了开源的力量。 +在 Sun 公司,我努力学习,尽可能多的尝试新事物。我的第一个工作是网页化 HTMLing(啥?这居然是一个词!)白皮书,以及为 Beta 程序修改一些基础的服务工具(大多数是 Perl 写的)。后来我成为 Solaris beta 项目组中的项目经理,并在 Open Solaris 的 Beta 版运行中感受到了开源的力量。 -在那里我做的最重要的事情就是学校。我发现在同样重视工程和教育的地方有一种气氛,在那里我的问题不再显得“傻”。我很庆幸我选对了导师和朋友。在决定休第二个孩子的产假之前,我上每一堂我能上的课程,读每一本我能读的书,尝试自学我在学校没有学习过的技术,商业以及项目管理方面的技能。 +在那里我做的最重要的事情就是学习。我发现在同样重视工程和教育的地方有一种气氛,在那里我的问题不再显得“傻”。我很庆幸我选对了导师和朋友。在决定休第二个孩子的产假之前,我上每一堂我能上的课程,读每一本我能读的书,尝试自学我在学校没有学习过的技术,商业以及项目管理方面的技能。 ### 重回工作 -当我准备重新工作时,Sun 已经不是可行的地方。所以,我收集了很多人的信息(网络是你的朋友),利用我的沟通技能,最终获得了一个管理互联网门户的长期合同(2005 年时,一切皆门户),并且开始了解 CRM,发布产品的方式,本地化,网络等知识。我讲这么多背景,主要是我尝试以及失败的经历,和我成功的经历同等重要,从中学到很多。我也认为我们需要这个方面的榜样。 +当我准备重新工作时,Sun 公司已经不再是合适的地方了。所以,我整理了我的联系信息(网络帮到了我),利用我的沟通技能,最终获得了一个管理互联网门户的长期合同(2005 年时,一切皆门户),并且开始了解 CRM、发布产品的方式、本地化、网络等知识。我讲这么多背景,主要是我的尝试以及失败的经历,和我成功的经历同等重要,从中学到很多。我也认为我们需要这个方面的榜样。 -从很多方面来看,我的职业生涯的第一部分是我的技术教育。这事发生的时间和地点都和现在不一样了 —— 我在帮助组织中的女性和其他弱势群体,但是我之后成为一个技术行业的女性。当时无疑我没有看到这个行业的缺陷,但是现在这个行业更加的厌恶女性,一点没有减少。 +从很多方面来看,我的职业生涯的第一部分是我的技术教育。时变势移 —— 我在帮助组织中的女性和其他弱势群体,但是并没有看出为一个技术行业的女性有多难。当时无疑我没有看到这个行业的缺陷,但是现在这个行业更加的厌恶女性,一点没有减少。 -在这些事情之后,我还没有把自己当作一个标杆,或者一个高级技术人员。当我在父母圈子里认识的一位极客朋友鼓励我申请一个看起来定位十分模糊且技术性很强的开源的非盈利基础设施商店(互联网系统协会,BIND --一个广泛部署的开源 DNS 名称服务器--的缔造者,13 台根域名服务器之一的运营商)的产品经理时,我很震惊。有很长一段时间,我都不知道他们为什么要雇佣我!我对 DNS ,基础设备,以及协议的开发知之甚少,但是我再次遇到了老师,并再度开始飞速发展。我花时间旅行,在关键流程攻关,搞清楚如何与高度国际化的团队合作,解决麻烦的问题,最重要的是,拥抱支持我们的开源和充满活力的社区。我几乎重新学了一切,通过试错的方式。我学习如何构思一个产品。如何通过建设开源社区,领导那些有这特定才能,技能和耐心的人,是他们给了产品价值。 +在这些事情之后,我还没有把自己当作一个标杆,或者一个高级技术人员。当我在父母圈子里认识的一位极客朋友鼓励我申请一个看起来定位十分模糊且技术性很强的开源的非盈利基础设施机构(互联网系统协会 ISC,它是广泛部署的开源 DNS 名称服务器 BIND 的缔造者,也是 13 台根域名服务器之一的运营商)的产品经理时,我很震惊。有很长一段时间,我都不知道他们为什么要雇佣我!我对 DNS、基础设备,以及协议的开发知之甚少,但是我再次遇到了老师,并再度开始飞速发展。我花时间出差,在关键流程攻关,搞清楚如何与高度国际化的团队合作,解决麻烦的问题,最重要的是,拥抱支持我们的开源和充满活力的社区。我几乎重新学了一切,通过试错的方式。我学习如何构思一个产品。如何通过建设开源社区,领导那些有这特定才能,技能和耐心的人,是他们给了产品价值。 ### 成为别人的导师 当我在 ISC 工作时,我通过 [TechWomen 项目][2] (一个让来自中东和北非的技术行业的女性到硅谷来接受教育的计划),我开始喜欢教学生以及支持那些技术女性,特别是在开源行业中奋斗的。也正是从这时起我开始相信自己的能力。我还需要学很多。 -当我第一次读 TechWomen 关于导师的广告时,我认为那些导师甚至都不会想要和我说话!我有冒名顶替综合征。当他们邀请我成为第一批导师(以及以后 6 年的导师)时,我很震惊,但是现在我学会了相信这些都是我努力得到的待遇。冒名顶替综合征是真实的,但是它能被时间冲淡。 +当我第一次读 TechWomen 关于导师的广告时,我根本不认为他们会约我面试!我有冒名顶替综合症。当他们邀请我成为第一批导师(以及以后六年每年的导师)时,我很震惊,但是现在我学会了相信这些都是我努力得到的待遇。冒名顶替综合症是真实的,但是随着时间过去我就慢慢名副其实了。 ### 现在 -最后,我不得不离开我在 ISC 的工作。幸运的是,我的工作以及我的价值让我进入了 Mozilla ,在这里我的努力和我的幸运让我在这里承担着重要的角色。现在,我是一名支持多样性的高级项目经理。我致力于构建一个更多样化,更有包容性的 Mozilla ,站在之前的做同样事情的巨人的肩膀上,与最聪明友善的人们一起工作。我用我的激情来让人们找到贡献一个世界需要的互联网的有意义的方式:这让我兴奋了很久。我能看见,我做到了! +最后,我不得不离开我在 ISC 的工作。幸运的是,我的工作以及我的价值让我进入了 Mozilla ,在这里我的努力和我的幸运让我在这里承担着重要的角色。现在,我是一名支持多样性与包容的高级项目经理。我致力于构建一个更多样化,更有包容性的 Mozilla ,站在之前的做同样事情的巨人的肩膀上,与最聪明友善的人们一起工作。我用我的激情来让人们找到贡献一个世界需要的互联网的有意义的方式:这让我兴奋了很久。当我爬上山峰,我能极目四望! -通过对组织和个人行为的干预来获取一种新的方式,以改变文化,这和我的人生轨迹有着不可思议的联系 —— 从我的早期的学术生涯,到职业生涯再到现在。每天都是一个新的挑战,我想这是我喜欢在科技行业工作,尤其是在开放互联网工作的地方。互联网天然的多元性是它最开始吸引我的原因,也是我还在寻求的 —— 所有人都有机会和获取资源的可能性,无论背景如何。榜样,导师,资源,以及最重要的,尊重,是不断发展技术和开源文化的必要组成部分,实现我相信它能实现的所有事 —— 包括给所有人平等的接触机会。 +通过对组织和个人行为的干预来获取一种改变文化的新方式,这和我的人生轨迹有着不可思议的联系 —— 从我的早期的学术生涯,到职业生涯再到现在。每天都是一个新的挑战,我想这是我喜欢在科技行业工作,尤其是在开放互联网工作的理由。互联网天然的多元性是它最开始吸引我的原因,也是我还在寻求的 —— 所有人都有机会和获取资源的可能性,无论背景如何。榜样、导师、资源,以及最重要的,尊重,是不断发展技术和开源文化的必要组成部分,实现我相信它能实现的所有事 —— 包括给所有人平等的接触机会。 -------------------------------------------------------------------------------- From 4583213244b2afe56e32ff7a3fd1e9291bc71c55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=99=88=E5=AE=B6=E5=90=AF?= Date: Tue, 27 Dec 2016 13:14:22 +0800 Subject: [PATCH 018/181] Update 20161026 Applying the Linus Torvalds Good Taste Coding Requirement.md --- ...pplying the Linus Torvalds Good Taste Coding Requirement.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sources/tech/20161026 Applying the Linus Torvalds Good Taste Coding Requirement.md b/sources/tech/20161026 Applying the Linus Torvalds Good Taste Coding Requirement.md index 477a6b886e..61bd5ac57a 100644 --- a/sources/tech/20161026 Applying the Linus Torvalds Good Taste Coding Requirement.md +++ b/sources/tech/20161026 Applying the Linus Torvalds Good Taste Coding Requirement.md @@ -1,3 +1,4 @@ +Translating by cposture 20161228 # Applying the Linus Torvalds “Good Taste” Coding Requirement In [a recent interview with Linus Torvalds][1], the creator of Linux, at approximately 14:20 in the interview, he made a quick point about coding with “good taste”. Good taste? The interviewer prodded him for details and Linus came prepared with illustrations. @@ -44,7 +45,7 @@ Again, the purpose of this code was to only initialize the values of the points To accomplish this I initially looped over every point in the grid and used conditionals to test for the edges. This is what it looked like: -``` +```Tr for (r = 0; r < GRID_SIZE; ++r) { for (c = 0; c < GRID_SIZE; ++c) { ``` From 705a7734c359c2390ea99c2f50c681538ed2dd7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=91=A8=E5=AE=B6=E6=9C=AA?= Date: Tue, 27 Dec 2016 13:43:18 +0800 Subject: [PATCH 019/181] GitFuture is translating this article --- sources/tech/20160929 Getting Started with HTTP2 - Part 2.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20160929 Getting Started with HTTP2 - Part 2.md b/sources/tech/20160929 Getting Started with HTTP2 - Part 2.md index 769a87afd3..6a98fc0056 100644 --- a/sources/tech/20160929 Getting Started with HTTP2 - Part 2.md +++ b/sources/tech/20160929 Getting Started with HTTP2 - Part 2.md @@ -1,3 +1,5 @@ +It's translated by GitFuture now. + Getting Started with HTTP/2: Part 2 ============================================================ ![](https://static.viget.com/_284x284_crop_center-center/ben-t-http-blog-thumb-01_360.png?mtime=20160928234634) From cfb12376bea43c40d9d73a78d22fe63dfea1a853 Mon Sep 17 00:00:00 2001 From: geekpi Date: Tue, 27 Dec 2016 14:34:09 +0800 Subject: [PATCH 020/181] translated --- .../LXD/Part 4 - LXD 2.0--Resource control.md | 407 ------------------ .../LXD/Part 4 - LXD 2.0--Resource control.md | 406 +++++++++++++++++ 2 files changed, 406 insertions(+), 407 deletions(-) delete mode 100644 sources/tech/LXD/Part 4 - LXD 2.0--Resource control.md create mode 100644 translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md diff --git a/sources/tech/LXD/Part 4 - LXD 2.0--Resource control.md b/sources/tech/LXD/Part 4 - LXD 2.0--Resource control.md deleted file mode 100644 index edfdaf4f99..0000000000 --- a/sources/tech/LXD/Part 4 - LXD 2.0--Resource control.md +++ /dev/null @@ -1,407 +0,0 @@ -translating---geekpi - -Part 4 - LXD 2.0: Resource control -====================================== - -This is the fourth blog post [in this series about LXD 2.0][0]. - -As there are a lot of commands involved with managing LXD containers, this post is rather long. If you’d instead prefer a quick step-by-step tour of those same commands, you can [try our online demo instead][1]! - -![](https://linuxcontainers.org/static/img/containers.png) - -### Available resource limits - -LXD offers a variety of resource limits. Some of those are tied to the container itself, like memory quotas, CPU limits and I/O priorities. Some are tied to a particular device instead, like I/O bandwidth or disk usage limits. - -As with all LXD configuration, resource limits can be dynamically changed while the container is running. Some may fail to apply, for example if setting a memory value smaller than the current memory usage, but LXD will try anyway and report back on failure. - -All limits can also be inherited through profiles in which case each affected container will be constrained by that limit. That is, if you set limits.memory=256MB in the default profile, every container using the default profile (typically all of them) will have a memory limit of 256MB. - -We don’t support resource limits pooling where a limit would be shared by a group of containers, there is simply no good way to implement something like that with the existing kernel APIs. - -#### Disk - -This is perhaps the most requested and obvious one. Simply setting a size limit on the container’s filesystem and have it enforced against the container. - -And that’s exactly what LXD lets you do! -Unfortunately this is far more complicated than it sounds. Linux doesn’t have path-based quotas, instead most filesystems only have user and group quotas which are of little use to containers. - -This means that right now LXD only supports disk limits if you’re using the ZFS or btrfs storage backend. It may be possible to implement this feature for LVM too but this depends on the filesystem being used with it and gets tricky when combined with live updates as not all filesystems allow online growth and pretty much none of them allow online shrink. - -#### CPU - -When it comes to CPU limits, we support 4 different things: - -* Just give me X CPUs - - In this mode, you let LXD pick a bunch of cores for you and then load-balance things as more containers and CPUs go online/offline. - - The container only sees that number of CPU. -* Give me a specific set of CPUs (say, core 1, 3 and 5) - - Similar to the first mode except that no load-balancing is happening, you’re stuck with those cores no matter how busy they may be. -* Give me 20% of whatever you have - - In this mode, you get to see all the CPUs but the scheduler will restrict you to 20% of the CPU time but only when under load! So if the system isn’t busy, your container can have as much fun as it wants. When containers next to it start using the CPU, then it gets capped. -* Out of every measured 200ms, give me 50ms (and no more than that) - - This mode is similar to the previous one in that you get to see all the CPUs but this time, you can only use as much CPU time as you set in the limit, no matter how idle the system may be. On a system without over-commit this lets you slice your CPU very neatly and guarantees constant performance to those containers. - -It’s also possible to combine one of the first two with one of the last two, that is, request a set of CPUs and then further restrict how much CPU time you get on those. - -On top of that, we also have a generic priority knob which is used to tell the scheduler who wins when you’re under load and two containers are fighting for the same resource. - -#### Memory - -Memory sounds pretty simple, just give me X MB of RAM! - -And it absolutely can be that simple. We support that kind of limits as well as percentage based requests, just give me 10% of whatever the host has! - -Then we support some extra stuff on top. For example, you can choose to turn swap on and off on a per-container basis and if it’s on, set a priority so you can choose what container will have their memory swapped out to disk first! - -Oh and memory limits are “hard” by default. That is, when you run out of memory, the kernel out of memory killer will start having some fun with your processes. - -Alternatively you can set the enforcement policy to “soft”, in which case you’ll be allowed to use as much memory as you want so long as nothing else is. As soon as something else wants that memory, you won’t be able to allocate anything until you’re back under your limit or until the host has memory to spare again. - -#### Network I/O - -Network I/O is probably our simplest looking limit, trust me, the implementation really isn’t simple though! - -We support two things. The first is a basic bit/s limits on network interfaces. You can set a limit of ingress and egress or just set the “max” limit which then applies to both. This is only supported for “bridged” and “p2p” type interfaces. - -The second thing is a global network I/O priority which only applies when the network interface you’re trying to talk through is saturated. - -#### Block I/O - -I kept the weirdest for last. It may look straightforward and feel like that to the user but there are a bunch of cases where it won’t exactly do what you think it should. - -What we support here is basically identical to what I described in Network I/O. - -You can set IOps or byte/s read and write limits directly on a disk device entry and there is a global block I/O priority which tells the I/O scheduler who to prefer. - -The weirdness comes from how and where those limits are applied. Unfortunately the underlying feature we use to implement those uses full block devices. That means we can’t set per-partition I/O limits let alone per-path. - -It also means that when using ZFS or btrfs which can use multiple block devices to back a given path (with or without RAID), we effectively don’t know what block device is providing a given path. - -This means that it’s entirely possible, in fact likely, that a container may have multiple disk entries (bind-mounts or straight mounts) which are coming from the same underlying disk. - -And that’s where things get weird. To make things work, LXD has logic to guess what block devices back a given path, this does include interrogating the ZFS and btrfs tools and even figures things out recursively when it finds a loop mounted file backing a filesystem. - -That logic while not perfect, usually yields a set of block devices that should have a limit applied. LXD then records that and moves on to the next path. When it’s done looking at all the paths, it gets to the very weird part. It averages the limits you’ve set for every affected block devices and then applies those. - -That means that “in average” you’ll be getting the right speed in the container, but it also means that you can’t have a “/fast” and a “/slow” directory both coming from the same physical disk and with differing speed limits. LXD will let you set it up but in the end, they’ll both give you the average of the two values. - -### How does it all work? - -Most of the limits described above are applied through the Linux kernel Cgroups API. That’s with the exception of the network limits which are applied through good old “tc”. - -LXD at startup time detects what cgroups are enabled in your kernel and will only apply the limits which your kernel support. Should you be missing some cgroups, a warning will also be printed by the daemon which will then get logged by your init system. - -On Ubuntu 16.04, everything is enabled by default with the exception of swap memory accounting which requires you pass the “swapaccount=1” kernel boot parameter. - -### Applying some limits - -All the limits described above are applied directly to the container or to one of its profiles. Container-wide limits are applied with: - -``` -lxc config set CONTAINER KEY VALUE -``` - -or for a profile: - -``` -lxc profile set PROFILE KEY VALUE -``` - -while device-specific ones are applied with: - -``` -lxc config device set CONTAINER DEVICE KEY VALUE -``` - -or for a profile: - -``` -lxc profile device set PROFILE DEVICE KEY VALUE -``` - -The complete list of valid configuration keys, device types and device keys can be [found here][1]. - -#### CPU - -To just limit a container to any 2 CPUs, do: - -``` -lxc config set my-container limits.cpu 2 -``` - -To pin to specific CPU cores, say the second and fourth: - -``` -lxc config set my-container limits.cpu 1,3 -``` - -More complex pinning ranges like this works too: - -``` -lxc config set my-container limits.cpu 0-3,7-11 -``` - -The limits are applied live, as can be seen in this example: - -``` -stgraber@dakara:~$ lxc exec zerotier -- cat /proc/cpuinfo | grep ^proces -processor : 0 -processor : 1 -processor : 2 -processor : 3 -stgraber@dakara:~$ lxc config set zerotier limits.cpu 2 -stgraber@dakara:~$ lxc exec zerotier -- cat /proc/cpuinfo | grep ^proces -processor : 0 -processor : 1 -``` - -Note that to avoid utterly confusing userspace, lxcfs arranges the /proc/cpuinfo entries so that there are no gaps. - -As with just about everything in LXD, those settings can also be applied in profiles: - -``` -stgraber@dakara:~$ lxc exec snappy -- cat /proc/cpuinfo | grep ^proces -processor : 0 -processor : 1 -processor : 2 -processor : 3 -stgraber@dakara:~$ lxc profile set default limits.cpu 3 -stgraber@dakara:~$ lxc exec snappy -- cat /proc/cpuinfo | grep ^proces -processor : 0 -processor : 1 -processor : 2 -``` - -To limit the CPU time of a container to 10% of the total, set the CPU allowance: - -``` -lxc config set my-container limits.cpu.allowance 10% -``` - -Or to give it a fixed slice of CPU time: - -``` -lxc config set my-container limits.cpu.allowance 25ms/200ms -``` - -And lastly, to reduce the priority of a container to a minimum: - -``` -lxc config set my-container limits.cpu.priority 0 -``` - -#### Memory - -To apply a straightforward memory limit run: - -``` -lxc config set my-container limits.memory 256MB -``` - -(The supported suffixes are kB, MB, GB, TB, PB and EB) - -To turn swap off for the container (defaults to enabled): - -``` -lxc config set my-container limits.memory.swap false -``` - -To tell the kernel to swap this container’s memory first: - -``` -lxc config set my-container limits.memory.swap.priority 0 -``` - -And finally if you don’t want hard memory limit enforcement: - -``` -lxc config set my-container limits.memory.enforce soft -``` - -#### Disk and block I/O - -Unlike CPU and memory, disk and I/O limits are applied to the actual device entry, so you either need to edit the original device or mask it with a more specific one. - -To set a disk limit (requires btrfs or ZFS): - -``` -lxc config device set my-container root size 20GB -``` - -For example: - -``` -stgraber@dakara:~$ lxc exec zerotier -- df -h / -Filesystem Size Used Avail Use% Mounted on -encrypted/lxd/containers/zerotier 179G 542M 178G 1% / -stgraber@dakara:~$ lxc config device set zerotier root size 20GB -stgraber@dakara:~$ lxc exec zerotier -- df -h / -Filesystem Size Used Avail Use% Mounted on -encrypted/lxd/containers/zerotier 20G 542M 20G 3% / -``` - -To restrict speed you can do the following: - -``` -lxc config device set my-container root limits.read 30MB -lxc config device set my-container root.limits.write 10MB -``` - -Or to restrict IOps instead: - -``` -lxc config device set my-container root limits.read 20Iops -lxc config device set my-container root limits.write 10Iops -``` - -And lastly, if you’re on a busy system with over-commit, you may want to also do: - -``` -lxc config set my-container limits.disk.priority 10 -``` - -To increase the I/O priority for that container to the maximum. - -#### Network I/O - -Network I/O is basically identical to block I/O as far the knobs available. - -For example: - -``` -stgraber@dakara:~$ lxc exec zerotier -- wget http://speedtest.newark.linode.com/100MB-newark.bin -O /dev/null ---2016-03-26 22:17:34-- http://speedtest.newark.linode.com/100MB-newark.bin -Resolving speedtest.newark.linode.com (speedtest.newark.linode.com)... 50.116.57.237, 2600:3c03::4b -Connecting to speedtest.newark.linode.com (speedtest.newark.linode.com)|50.116.57.237|:80... connected. -HTTP request sent, awaiting response... 200 OK -Length: 104857600 (100M) [application/octet-stream] -Saving to: '/dev/null' - -/dev/null 100%[===================>] 100.00M 58.7MB/s in 1.7s - -2016-03-26 22:17:36 (58.7 MB/s) - '/dev/null' saved [104857600/104857600] - -stgraber@dakara:~$ lxc profile device set default eth0 limits.ingress 100Mbit -stgraber@dakara:~$ lxc profile device set default eth0 limits.egress 100Mbit -stgraber@dakara:~$ lxc exec zerotier -- wget http://speedtest.newark.linode.com/100MB-newark.bin -O /dev/null ---2016-03-26 22:17:47-- http://speedtest.newark.linode.com/100MB-newark.bin -Resolving speedtest.newark.linode.com (speedtest.newark.linode.com)... 50.116.57.237, 2600:3c03::4b -Connecting to speedtest.newark.linode.com (speedtest.newark.linode.com)|50.116.57.237|:80... connected. -HTTP request sent, awaiting response... 200 OK -Length: 104857600 (100M) [application/octet-stream] -Saving to: '/dev/null' - -/dev/null 100%[===================>] 100.00M 11.4MB/s in 8.8s - -2016-03-26 22:17:56 (11.4 MB/s) - '/dev/null' saved [104857600/104857600] -``` - -And that’s how you throttle an otherwise nice gigabit connection to a mere 100Mbit/s one! - -And as with block I/O, you can set an overall network priority with: - -``` -lxc config set my-container limits.network.priority 5 -``` - -### Getting the current resource usage - -The [LXD API][2] exports quite a bit of information on current container resource usage, you can get: - -* Memory: current, peak, current swap and peak swap -* Disk: current disk usage -* Network: bytes and packets received and transferred for every interface - -And now if you’re running a very recent LXD (only in git at the time of this writing), you can also get all of those in “lxc info”: - -``` -stgraber@dakara:~$ lxc info zerotier -Name: zerotier -Architecture: x86_64 -Created: 2016/02/20 20:01 UTC -Status: Running -Type: persistent -Profiles: default -Pid: 29258 -Ips: - eth0: inet 172.17.0.101 - eth0: inet6 2607:f2c0:f00f:2700:216:3eff:feec:65a8 - eth0: inet6 fe80::216:3eff:feec:65a8 - lo: inet 127.0.0.1 - lo: inet6 ::1 - lxcbr0: inet 10.0.3.1 - lxcbr0: inet6 fe80::f0bd:55ff:feee:97a2 - zt0: inet 29.17.181.59 - zt0: inet6 fd80:56c2:e21c:0:199:9379:e711:b3e1 - zt0: inet6 fe80::79:e7ff:fe0d:5123 -Resources: - Processes: 33 - Disk usage: - root: 808.07MB - Memory usage: - Memory (current): 106.79MB - Memory (peak): 195.51MB - Swap (current): 124.00kB - Swap (peak): 124.00kB - Network usage: - lxcbr0: - Bytes received: 0 bytes - Bytes sent: 570 bytes - Packets received: 0 - Packets sent: 0 - zt0: - Bytes received: 1.10MB - Bytes sent: 806 bytes - Packets received: 10957 - Packets sent: 10957 - eth0: - Bytes received: 99.35MB - Bytes sent: 5.88MB - Packets received: 64481 - Packets sent: 64481 - lo: - Bytes received: 9.57kB - Bytes sent: 9.57kB - Packets received: 81 - Packets sent: 81 -Snapshots: - zerotier/blah (taken at 2016/03/08 23:55 UTC) (stateless) -``` - -### Conclusion - -The LXD team spent quite a few months iterating over the language we’re using for those limits. It’s meant to be as simple as it can get while remaining very powerful and specific when you want it to. - -Live application of those limits and inheritance through profiles makes it a very powerful tool to live manage the load on your servers without impacting the running services. - -### Extra information - -The main LXD website is at: -Development happens on Github at: -Mailing-list support happens on: -IRC support happens in: #lxcontainers on irc.freenode.net - -And if you don’t want or can’t install LXD on your own machine, you can always [try it online instead][3]! - - --------------------------------------------------------------------------------- - -via: https://www.stgraber.org/2016/03/26/lxd-2-0-resource-control-412/ - -作者:[Stéphane Graber][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: https://www.stgraber.org/author/stgraber/ -[0]: https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ -[1]: https://github.com/lxc/lxd/blob/master/doc/configuration.md -[2]: https://github.com/lxc/lxd/blob/master/doc/rest-api.md -[3]: https://linuxcontainers.org/lxd/try-it diff --git a/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md b/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md new file mode 100644 index 0000000000..f1a0298775 --- /dev/null +++ b/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md @@ -0,0 +1,406 @@ +LXD 2.0 系列(四):资源控制 +====================================== + +这是 [LXD 2.0 系列介绍文章][0]的第四篇。 + +因为lxd容器管理有很多命令,因此这篇文章会很长。 如果你想要快速地浏览这些相同的命令,你可以[尝试下我们的在线演示][1]! + +![](https://linuxcontainers.org/static/img/containers.png) + +### 可用资源限制 + +LXD提供了不同的资源限制。其中一些绑定到容器本身,如内存配额,CPU限制和I/O优先级。一些与特定设备绑定,如I/O带宽或磁盘使用限制。 + +与所有LXD配置一样,资源限制可以在容器运行时动态更改。某些可能无法启用,例如,如果设置的内存值小于当前内存使用,但LXD将会重试并且报告失败。 + +所有限制也可以通过配置文件继承,在这种情况下每个受影响的容器将受到该限制的约束。也就是说,如果在默认配置文件中设置limits.memory=256MB,则使用默认配置文件(通常是所有配置文件)的每个容器的内存限制为256MB。 + +我们不支持资源限制池,其中的限制将由一组容器共享,因为我们没有什么好的方法由现有的内核API实现这些功能。 + +#### 磁盘 + +这或许是最需要和最明显的需求。 只需设置容器文件系统的大小限制,并对容器强制执行。 + +这就是LXD让你做的! +不幸的是,这比它听起来复杂得多。 Linux没有基于路径的配额,而大多数文件系统只有基于用户和组的配额,这对容器没有什么用处。 + +如果你正在使用ZFS或btrfs存储后端,这意味着现在LXD只能支持磁盘限制。也有可能为LVM实现此功能,但这取决于与它一起使用的文件系统,并且如果结合实时更新那会变得棘手起来,因为并不是所有的文件系统都允许在线增长,几乎没有一个允许在线收缩。 + +#### CPU + +当涉及到CPU的限制,我们支持4种不同的东西: + +*只给我X个CPU核心 + +  在这种模式下,你让LXD为你选择一组核心,然后为更多的容器和CPU的上线/下线提供负载均衡。 +   +  容器只看到这个数量的CPU核心。 +*给我一组特定的CPU核心(例如,核心1,3和5) + +  类似于第一种模式,除了没有发生负载均衡,你会被限制在那些核心,无论它们有多忙。 +*给我你拥有的20% + +  在这种模式下,你可以看到所有的CPU,但调度程序将限制你使用20%的CPU时间,但这只有在负载状态才会这样!所以如果系统不忙,你的容器可以跑得很欢。当其他的容器也开始使用CPU时,它会被限制。 +*每测量200ms,给我50ms(并且不超过) + +  此模式与上一个模式类似,你可以看到所有的CPU,但这一次,无论系统可能是多么空闲,你只能使用你设置的极限时间下的尽可能多的CPU时间。在没有过量使用的系统上,这可使你可以非常整齐地分割CPU,并确保这些容器的持续性能。 + +另外还可以将前两个中的一个与最后两个之一相结合,即请求一组CPU,然后进一步限制这些CPU的CPU时间。 + +除此之外,我们还有一个通用的优先级调节方式,可以告诉调度器当你处于负载状态时,两个争夺资源的容器谁会取得胜利。 + +#### 内存 + +内存听起来很简单,只是给我多少MB的内存! + +它绝对可以那么简单。 我们支持这种限制以及基于百分比的请求,比如给我10%的主机内存! + +另外我们在上层支持一些额外的东西。 例如,你可以选择在每个容器上打开或者关闭swap,如果打开,还可以设置优先级,以便你可以选择哪些容器先将内存交换到磁盘! + +内存限制默认是“hard”。 也就是说,当内存耗尽时,内核将会开始杀掉你的那些进程。 + +或者,你可以将强制策略设置为“soft”,在这种情况下,只要没有别的进程的情况下,你将被允许使用尽可能多的内存。一旦别的进程想要这块内存,你将无法分配任何内存直到你低于你的限制或者主机内存再次有空余。 + +#### 网络 I/O + +网络I/O可能是我们最简单的限制,但是相信我,实现真的不简单! + +我们支持两种限制。 第一个是对网络接口的速率限制。 你可以设置入口和出口的限制,或者只是设置“最大”限制然后应用到出口和入口。这个只支持“桥接”和“p2p”类型接口。 + +第二种是全局网络I/O优先级,仅当你的网络接口趋于饱和的时候再使用。 + +#### 块 I/O + +我把最古怪的放在最后。对于用户看起来它可能简单,但有一些情况下,它的结果并不会和你的预期一样。 + +我们在这里支持的基本上与我在网络I/O中描述的相同。 + +你可以直接设置磁盘的读写IO频率和速率,并且有一个全局的块I/O优先级,它会通知I/O调度程序更倾向哪个。 + +奇怪的是如何以及在哪里应用这些限制。不幸的是,我们用于实现这些功能的底层使用的是完整的块设备。这意味着我们不能为每个路径设置每个分区的I/O限制。 + +这也意味着当使用可以支持多个块设备的ZFS或btrfs(带或者不带RAID)回到指定的路径,我们并不知道这个路径是哪个块设备提供的。 + +这意味着,完全有可能,实际上有可能,容器使用的磁盘可能来自于多个不同的物理磁盘(绑定挂载或直接挂载)。 + +这就使限制变得很奇怪。为了使限制生效,LXD具有猜测给定路径对应块设备的逻辑,这其中包括询问ZFS和btrfs工具,甚至可以在发现一个文件系统中的循环挂载的文件时递归地找出它们。 + +这个逻辑虽然不完美,但通常会产生一组应该应用限制的块设备。LXD接着记录并移动到下一个路径。当遍历完所有的路径,它就得到了非常奇怪的部分。它会平均你为相应块设备设置的限制,然后应用这些。 + +这意味着你将在容器中“平均”地获得正确的速度,但这也意味着你不能对来自同一个物理磁盘的“/fast”和一个“/slow”目录应用不同的速度限制。 LXD允许你设置它,但最后,它会给你这两个值的平均值。 + +### 它怎么工作? + +除了网络限制是通过较旧但是良好的“tc”实现的,上述大多数限制是通过Linux内核的cgroup API来实现的。 + +LXD在启动时会检测你在内核中启用了哪些cgroup,并且将只应用内核支持的限制。 如果你缺少一些cgroups,守护进程会输出警告,接着你的init系统将会记录这些。 + +在Ubuntu 16.04上,默认情况下除了内存交换审计外将会启用所有限制,它需要你通过“swapaccount = 1”这个内核引导参数启用它。 + +### 应用这些限制 + +上述所有限制都能够直接或者用某个配置文件应用于容器。容器范围的限制可以使用: + +``` +lxc config set CONTAINER KEY VALUE +``` + +对应配置文件: + +``` +lxc profile set PROFILE KEY VALUE +``` + +当指定特定设备时: + +``` +lxc config device set CONTAINER DEVICE KEY VALUE +``` + +对应配置文件 + +``` +lxc profile device set PROFILE DEVICE KEY VALUE +``` + +完整有效的配置键、设备类型和设备键可以[看这里][1]。 + +#### CPU + +要限制使用任意两个cpu核心可以这么做: + +``` +lxc config set my-container limits.cpu 2 +``` + +要指定特定的cpu核心,也就是之前说的第二和第四种: + +``` +lxc config set my-container limits.cpu 1,3 +``` + +更加复杂的情况还可以设置范围: + +``` +lxc config set my-container limits.cpu 0-3,7-11 +``` + +The limits are applied live, as can be seen in this example: +限制实时生效,你可以看下面的例子 + +``` +stgraber@dakara:~$ lxc exec zerotier -- cat /proc/cpuinfo | grep ^proces +processor : 0 +processor : 1 +processor : 2 +processor : 3 +stgraber@dakara:~$ lxc config set zerotier limits.cpu 2 +stgraber@dakara:~$ lxc exec zerotier -- cat /proc/cpuinfo | grep ^proces +processor : 0 +processor : 1 +``` + +注意,为了避免完全混淆用户空间,lxcfs会重排/proc/cpuinfo中的条目,以便没有错误。 + +就像LXD中的一切,这些设置也可以应用在配置文件中: + +``` +stgraber@dakara:~$ lxc exec snappy -- cat /proc/cpuinfo | grep ^proces +processor : 0 +processor : 1 +processor : 2 +processor : 3 +stgraber@dakara:~$ lxc profile set default limits.cpu 3 +stgraber@dakara:~$ lxc exec snappy -- cat /proc/cpuinfo | grep ^proces +processor : 0 +processor : 1 +processor : 2 +``` + +要限制容器使用10%的cpu时间,要设置下cpu allowance: + +``` +lxc config set my-container limits.cpu.allowance 10% +``` + +或者给他一个固定的cpu切片时间: + +``` +lxc config set my-container limits.cpu.allowance 25ms/200ms +``` + +最后,要将容器的cpu优先级调到最低: + +``` +lxc config set my-container limits.cpu.priority 0 +``` + +#### 内存 + +要直接应用内存限制运行下面的命令: + +``` +lxc config set my-container limits.memory 256MB +``` + +(支持的后缀后KB、MB、GB、TB、PB、EB) + +要关闭容器的内存交换(默认启用): + +``` +lxc config set my-container limits.memory.swap false +``` + +告诉内核首先交换指定容器的内存: + +``` +lxc config set my-container limits.memory.swap.priority 0 +``` + +如果你不想要强制的内存限制: + +``` +lxc config set my-container limits.memory.enforce soft +``` + +#### 磁盘和块I/O + +不像CPU和内存,磁盘和I/O限制是直接作用在实际的设备上的,因此你需要编辑原始设备或者屏蔽某个具体的设备。 + +要设置磁盘限制(需要btrfs或者ZFS): + +``` +lxc config device set my-container root size 20GB +``` + +比如: + +``` +stgraber@dakara:~$ lxc exec zerotier -- df -h / +Filesystem Size Used Avail Use% Mounted on +encrypted/lxd/containers/zerotier 179G 542M 178G 1% / +stgraber@dakara:~$ lxc config device set zerotier root size 20GB +stgraber@dakara:~$ lxc exec zerotier -- df -h / +Filesystem Size Used Avail Use% Mounted on +encrypted/lxd/containers/zerotier 20G 542M 20G 3% / +``` + +要限制速度,你可以: + +``` +lxc config device set my-container root limits.read 30MB +lxc config device set my-container root.limits.write 10MB +``` + +或者限制IO频率: + +``` +lxc config device set my-container root limits.read 20Iops +lxc config device set my-container root limits.write 10Iops +``` + +最后你在一个过量使用的繁忙系统上,你或许想要: + +``` +lxc config set my-container limits.disk.priority 10 +``` + +将那个容器的I/O优先级调到最高。 + +#### 网络 I/O + +只要机制可用,网络I/O基本等同于块I/O。 + +比如: + +``` +stgraber@dakara:~$ lxc exec zerotier -- wget http://speedtest.newark.linode.com/100MB-newark.bin -O /dev/null +--2016-03-26 22:17:34-- http://speedtest.newark.linode.com/100MB-newark.bin +Resolving speedtest.newark.linode.com (speedtest.newark.linode.com)... 50.116.57.237, 2600:3c03::4b +Connecting to speedtest.newark.linode.com (speedtest.newark.linode.com)|50.116.57.237|:80... connected. +HTTP request sent, awaiting response... 200 OK +Length: 104857600 (100M) [application/octet-stream] +Saving to: '/dev/null' + +/dev/null 100%[===================>] 100.00M 58.7MB/s in 1.7s + +2016-03-26 22:17:36 (58.7 MB/s) - '/dev/null' saved [104857600/104857600] + +stgraber@dakara:~$ lxc profile device set default eth0 limits.ingress 100Mbit +stgraber@dakara:~$ lxc profile device set default eth0 limits.egress 100Mbit +stgraber@dakara:~$ lxc exec zerotier -- wget http://speedtest.newark.linode.com/100MB-newark.bin -O /dev/null +--2016-03-26 22:17:47-- http://speedtest.newark.linode.com/100MB-newark.bin +Resolving speedtest.newark.linode.com (speedtest.newark.linode.com)... 50.116.57.237, 2600:3c03::4b +Connecting to speedtest.newark.linode.com (speedtest.newark.linode.com)|50.116.57.237|:80... connected. +HTTP request sent, awaiting response... 200 OK +Length: 104857600 (100M) [application/octet-stream] +Saving to: '/dev/null' + +/dev/null 100%[===================>] 100.00M 11.4MB/s in 8.8s + +2016-03-26 22:17:56 (11.4 MB/s) - '/dev/null' saved [104857600/104857600] +``` + +这就是如何将一个千兆网的连接速度限制到仅仅100Mbit/s的! + +和块I/O一样,你可以设置一个总体的网络优先级: + +``` +lxc config set my-container limits.network.priority 5 +``` + +### 获取当前资源使用率 + +[LXD API][2]可以导出目前容器资源使用情况的一点信息,你可以得到: + +* 内存:当前、峰值、目前内存交换和峰值内存交换 +* 磁盘:当前磁盘使用率 +* 网络:每个接口传输的字节和包数。 + +另外如果你使用的是非常新的LXD(在写这篇文章时的git版本),你还可以在“lxc info”中得到这些信息: + +``` +stgraber@dakara:~$ lxc info zerotier +Name: zerotier +Architecture: x86_64 +Created: 2016/02/20 20:01 UTC +Status: Running +Type: persistent +Profiles: default +Pid: 29258 +Ips: + eth0: inet 172.17.0.101 + eth0: inet6 2607:f2c0:f00f:2700:216:3eff:feec:65a8 + eth0: inet6 fe80::216:3eff:feec:65a8 + lo: inet 127.0.0.1 + lo: inet6 ::1 + lxcbr0: inet 10.0.3.1 + lxcbr0: inet6 fe80::f0bd:55ff:feee:97a2 + zt0: inet 29.17.181.59 + zt0: inet6 fd80:56c2:e21c:0:199:9379:e711:b3e1 + zt0: inet6 fe80::79:e7ff:fe0d:5123 +Resources: + Processes: 33 + Disk usage: + root: 808.07MB + Memory usage: + Memory (current): 106.79MB + Memory (peak): 195.51MB + Swap (current): 124.00kB + Swap (peak): 124.00kB + Network usage: + lxcbr0: + Bytes received: 0 bytes + Bytes sent: 570 bytes + Packets received: 0 + Packets sent: 0 + zt0: + Bytes received: 1.10MB + Bytes sent: 806 bytes + Packets received: 10957 + Packets sent: 10957 + eth0: + Bytes received: 99.35MB + Bytes sent: 5.88MB + Packets received: 64481 + Packets sent: 64481 + lo: + Bytes received: 9.57kB + Bytes sent: 9.57kB + Packets received: 81 + Packets sent: 81 +Snapshots: + zerotier/blah (taken at 2016/03/08 23:55 UTC) (stateless) +``` + +### 总结 + +LXD团队花费了几个月的时间来迭代我们使用的这些限制语言。 它是为了在保持强大和功能明确的基础上同时保持简单。 + +实时的应用限制和继承配置文件,使其成为一种非常强大的工具,可以在不影响正在运行的服务的情况下实时管理服务器上的负载。 + +### 额外的信息 + +LXD主站: +Github上的页面: +邮件列表: +IRC:#lxcontainers on irc.freenode.net + +如果你不想在你的机器上安装LXD,你可以[在线尝试下][3] + + +-------------------------------------------------------------------------------- + +via: https://www.stgraber.org/2016/03/26/lxd-2-0-resource-control-412/ + +作者:[Stéphane Graber][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://www.stgraber.org/author/stgraber/ +[0]: https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ +[1]: https://github.com/lxc/lxd/blob/master/doc/configuration.md +[2]: https://github.com/lxc/lxd/blob/master/doc/rest-api.md +[3]: https://linuxcontainers.org/lxd/try-it From 792215d26b8720a07336fb3d596f454b43517bdf Mon Sep 17 00:00:00 2001 From: geekpi Date: Tue, 27 Dec 2016 14:46:40 +0800 Subject: [PATCH 021/181] translating --- sources/tech/LXD/Part 5 - LXD 2.0--Image management.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/LXD/Part 5 - LXD 2.0--Image management.md b/sources/tech/LXD/Part 5 - LXD 2.0--Image management.md index 025a8a793a..f944f9d5b8 100644 --- a/sources/tech/LXD/Part 5 - LXD 2.0--Image management.md +++ b/sources/tech/LXD/Part 5 - LXD 2.0--Image management.md @@ -1,3 +1,5 @@ +translating---geekpi + Part 5 - LXD 2.0: Image management ================================== This is the fifth blog post [in this series about LXD 2.0][0]. From cf590b7a9fa2f832e1cdac9b604f6242538e9c52 Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Tue, 27 Dec 2016 15:48:47 +0800 Subject: [PATCH 022/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E4=B8=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对中 --- ... Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD index 3001e0c28d..62b8dec1f9 100644 --- a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD +++ b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD @@ -218,7 +218,7 @@ via: http://firstround.com/review/forget-technical-debt-heres-how-to-build-techn 译者:[rusking](https://github.com/rusking) -校对:[校对者ID](https://github.com/校对者ID) +校对:[jasminepeng](https://github.com/jasminepeng) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From 01a5203ecae86641d2e4ab4a4f2a74b4831b4522 Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Tue, 27 Dec 2016 17:38:44 +0800 Subject: [PATCH 023/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E4=B8=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对中 --- ...get Technical Debt —Here'sHowtoBuild Technical Wealth.MD | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD index 62b8dec1f9..b6c5594622 100644 --- a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD +++ b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD @@ -1,11 +1,11 @@ # Forget Technical Debt —Here'sHowtoBuild Technical Wealth #忘记技术债务——教你如何创造技术财富 -电视里正播放着《老屋》节目,[Andrea Goulet][58]和她商业上的合作伙伴正悠闲地坐在客厅里商讨着他们的战略计划。那正是大家思想的火花碰撞出创新事物的时刻。他们正在寻求一种能够实现自身价值的方式——为其它公司清理遗留代码及科技债务。他们此刻的情景,像极了电视里的剧情。 +电视里正播放着《老屋》节目,[Andrea Goulet][58] 和她商业上的合作伙伴正悠闲地坐在客厅里,商讨着他们的战略计划。那正是大家思想的火花碰撞出创新事物的时刻。他们正在寻求一种能够实现自身价值的方式 —— 为其它公司清理遗留代码legacy code及科技债务。他们此刻的情景,像极了电视里的场景。(译者注:《老屋》电视节目提供专业的家装,家庭改建,重新装饰,创意等等信息,与软件的改造有异曲同工之处)。 -“我们意识到我们现在做的工作不仅仅是清理出遗留代码,实际上我们是在用重建老屋的方式来重构软件,让系统运行更持久,更稳定,更高效,”Goulet说。“这让我开始思考着如何让更多的公司花钱来改善他们的代码,以便让他们的系统运行更高效。就好比为了让屋子变得更实用,你不得不使用一个全新的屋顶。这并不吸引人,但却是至关重要的,然而很多人都搞错了。“ +“我们意识到我们现在做的工作不仅仅是清理遗留代码,实际上我们是在用重建老屋的方式来重构软件,让系统运行更持久,更稳定,更高效,”Goulet 说。“这让我开始思考公司如何花钱来改善他们的代码,以便让他们的系统运行更高效。就好比为了让屋子变得更有价值,你不得不使用一个全新的屋顶。这并不吸引人,但却是至关重要的,然而很多人都搞错了。“ -如今,她是[Corgibytes][57]公司的CEO——一家提高软件现代化和进行系统重构方面的咨询公司。她曾经见过各种各样糟糕的系统,遗留代码,以及不计其数的严重的科技债务事件。Goulet认为创业公司需要从偿还债务思维模式向创造科技财富的思维模式转变,并且要从铲除旧代码的方式向逐步修复的方式转变。她解释了这种新的方法,以及如何完成这些看似不可能完成的事情——实际上是聘用大量的工程事来完成这些工作。 +如今,她是 [Corgibytes][57] 公司的 CEO —— 一家提高软件现代化和进行系统重构方面的咨询公司。她曾经见过各种各样糟糕的系统,遗留代码,以及严重的科技债务事件。Goulet 认为创业公司需要转变思维模式,不是偿还债务,而是创造科技财富,不是要铲除旧代码,而是要逐步修复代码。她解释了这种新的方法,以及如何完成这些看似不可能完成的事情 —— 实际上是聘用优秀的工程师来完成这些工作。 ### 反思遗留代码 From 4246954719d7375242a4ba25191d39d4fd7b8fa1 Mon Sep 17 00:00:00 2001 From: geekpi Date: Tue, 27 Dec 2016 21:23:56 +0800 Subject: [PATCH 024/181] translated --- .../LXD/Part 5 - LXD 2.0--Image management.md | 460 ----------------- .../LXD/Part 4 - LXD 2.0--Resource control.md | 13 +- .../LXD/Part 5 - LXD 2.0--Image management.md | 473 ++++++++++++++++++ 3 files changed, 481 insertions(+), 465 deletions(-) delete mode 100644 sources/tech/LXD/Part 5 - LXD 2.0--Image management.md create mode 100644 translated/tech/LXD/Part 5 - LXD 2.0--Image management.md diff --git a/sources/tech/LXD/Part 5 - LXD 2.0--Image management.md b/sources/tech/LXD/Part 5 - LXD 2.0--Image management.md deleted file mode 100644 index f944f9d5b8..0000000000 --- a/sources/tech/LXD/Part 5 - LXD 2.0--Image management.md +++ /dev/null @@ -1,460 +0,0 @@ -translating---geekpi - -Part 5 - LXD 2.0: Image management -================================== -This is the fifth blog post [in this series about LXD 2.0][0]. - -As there are a lot of commands involved with managing LXD containers, this post is rather long. If you’d instead prefer a quick step-by-step tour of those same commands, you can [try our online demo instead][1]! - -![](https://linuxcontainers.org/static/img/containers.png) - -### Container images - -If you’ve used LXC before, you probably remember those LXC “templates”, basically shell scripts that spit out a container filesystem and a bit of configuration. - -Most templates generate the filesystem by doing a full distribution bootstrapping on your local machine. This may take quite a while, won’t work for all distributions and may require significant network bandwidth. - -Back in LXC 1.0, I wrote a “download” template which would allow users to download pre-packaged container images, generated on a central server from the usual template scripts and then heavily compressed, signed and distributed over https. A lot of our users switched from the old style container generation to using this new, much faster and much more reliable method of creating a container. - -With LXD, we’re taking this one step further by being all-in on the image based workflow. All containers are created from an image and we have advanced image caching and pre-loading support in LXD to keep the image store up to date. - -### Interacting with LXD images - -Before digging deeper into the image format, lets quickly go through what LXD lets you do with those images. - -#### Transparently importing images - -All containers are created from an image. The image may have come from a remote image server and have been pulled using its full hash, short hash or an alias, but in the end, every LXD container is created from a local image. - -Here are a few examples: - -``` -lxc launch ubuntu:14.04 c1 -lxc launch ubuntu:75182b1241be475a64e68a518ce853e800e9b50397d2f152816c24f038c94d6e c2 -lxc launch ubuntu:75182b1241be c3 -``` - -All of those refer to the same remote image (at the time of this writing), the first time one of those is run, the remote image will be imported in the local LXD image store as a cached image, then the container will be created from it. - -The next time one of those commands are run, LXD will only check that the image is still up to date (when not referring to it by its fingerprint), if it is, it will create the container without downloading anything. - -Now that the image is cached in the local image store, you can also just start it from there without even checking if it’s up to date: - -``` -lxc launch 75182b1241be c4 -``` - -And lastly, if you have your own local image under the name “myimage”, you can just do: - -``` -lxc launch my-image c5 -``` - -If you want to change some of that automatic caching and expiration behavior, there are instructions in an earlier post in this series. - -#### Manually importing images - -##### Copying from an image server - -If you want to copy some remote image into your local image store but not immediately create a container from it, you can use the “lxc image copy” command. It also lets you tweak some of the image flags, for example: - -``` -lxc image copy ubuntu:14.04 local: -``` - -This simply copies the remote image into the local image store. - -If you want to be able to refer to your copy of the image by something easier to remember than its fingerprint, you can add an alias at the time of the copy: - -``` -lxc image copy ubuntu:12.04 local: --alias old-ubuntu -lxc launch old-ubuntu c6 -``` - -And if you would rather just use the aliases that were set on the source server, you can ask LXD to copy the for you: - -lxc image copy ubuntu:15.10 local: --copy-aliases -lxc launch 15.10 c7 -All of the copies above were one-shot copy, so copying the current version of the remote image into the local image store. If you want to have LXD keep the image up to date, as it does for the ones stored in its cache, you need to request it with the `–auto-update` flag: - -``` -lxc image copy images:gentoo/current/amd64 local: --alias gentoo --auto-update -``` - -##### Importing a tarball - -If someone provides you with a LXD image as a single tarball, you can import it with: - -``` -lxc image import -``` - -If you want to set an alias at import time, you can do it with: - -``` -lxc image import --alias random-image -``` - -Now if you were provided with two tarballs, identify which contains the LXD metadata. Usually the tarball name gives it away, if not, pick the smallest of the two, metadata tarballs are tiny. Then import them both together with: - -``` -lxc image import -``` - -##### Importing from a URL - -“lxc image import” also works with some special URLs. If you have an https web server which serves a path with the LXD-Image-URL and LXD-Image-Hash headers set, then LXD will pull that image into its image store. - -For example you can do: - -``` -lxc image import https://dl.stgraber.org/lxd --alias busybox-amd64 -``` - -When pulling the image, LXD also sets some headers which the remote server could check to return an appropriate image. Those are LXD-Server-Architectures and LXD-Server-Version. - -This is meant as a poor man’s image server. It can be made to work with any static web server and provides a user friendly way to import your image. - -#### Managing the local image store - -Now that we have a bunch of images in our local image store, lets see what we can do with them. We’ve already covered the most obvious, creating containers from them but there are a few more things you can do with the local image store. - -##### Listing images - -To get a list of all images in the store, just run “lxc image list”: - -``` -stgraber@dakara:~$ lxc image list -+---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ -| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | -+---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ -| alpine-32 | 6d9c131efab3 | yes | Alpine edge (i386) (20160329_23:52) | i686 | 2.50MB | Mar 30, 2016 at 4:36am (UTC) | -+---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ -| busybox-amd64 | 74186c79ca2f | no | Busybox x86_64 | x86_64 | 0.79MB | Mar 30, 2016 at 4:33am (UTC) | -+---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ -| gentoo | 1a134c5951e0 | no | Gentoo current (amd64) (20160329_14:12) | x86_64 | 232.50MB | Mar 30, 2016 at 4:34am (UTC) | -+---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ -| my-image | c9b6e738fae7 | no | Scientific Linux 6 x86_64 (default) (20160215_02:36) | x86_64 | 625.34MB | Mar 2, 2016 at 4:56am (UTC) | -+---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ -| old-ubuntu | 4d558b08f22f | no | ubuntu 12.04 LTS amd64 (release) (20160315) | x86_64 | 155.09MB | Mar 30, 2016 at 4:30am (UTC) | -+---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ -| w (11 more) | d3703a994910 | no | ubuntu 15.10 amd64 (release) (20160315) | x86_64 | 153.35MB | Mar 30, 2016 at 4:31am (UTC) | -+---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ -| | 75182b1241be | no | ubuntu 14.04 LTS amd64 (release) (20160314) | x86_64 | 118.17MB | Mar 30, 2016 at 4:27am (UTC) | -+---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ -``` - -You can filter based on the alias or fingerprint simply by doing: - -``` -stgraber@dakara:~$ lxc image list amd64 -+---------------+--------------+--------+-----------------------------------------+--------+----------+------------------------------+ -| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | -+---------------+--------------+--------+-----------------------------------------+--------+----------+------------------------------+ -| busybox-amd64 | 74186c79ca2f | no | Busybox x86_64 | x86_64 | 0.79MB | Mar 30, 2016 at 4:33am (UTC) | -+---------------+--------------+--------+-----------------------------------------+--------+----------+------------------------------+ -| w (11 more) | d3703a994910 | no | ubuntu 15.10 amd64 (release) (20160315) | x86_64 | 153.35MB | Mar 30, 2016 at 4:31am (UTC) | -+---------------+--------------+--------+-----------------------------------------+--------+----------+------------------------------+ -``` - -Or by specifying a key=value filter of image properties: - -``` -stgraber@dakara:~$ lxc image list os=ubuntu -+-------------+--------------+--------+---------------------------------------------+--------+----------+------------------------------+ -| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | -+-------------+--------------+--------+---------------------------------------------+--------+----------+------------------------------+ -| old-ubuntu | 4d558b08f22f | no | ubuntu 12.04 LTS amd64 (release) (20160315) | x86_64 | 155.09MB | Mar 30, 2016 at 4:30am (UTC) | -+-------------+--------------+--------+---------------------------------------------+--------+----------+------------------------------+ -| w (11 more) | d3703a994910 | no | ubuntu 15.10 amd64 (release) (20160315) | x86_64 | 153.35MB | Mar 30, 2016 at 4:31am (UTC) | -+-------------+--------------+--------+---------------------------------------------+--------+----------+------------------------------+ -| | 75182b1241be | no | ubuntu 14.04 LTS amd64 (release) (20160314) | x86_64 | 118.17MB | Mar 30, 2016 at 4:27am (UTC) | -+-------------+--------------+--------+---------------------------------------------+--------+----------+------------------------------+ -``` - -To see everything LXD knows about a given image, you can use “lxc image info”: - -``` -stgraber@castiana:~$ lxc image info ubuntu -Fingerprint: e8a33ec326ae7dd02331bd72f5d22181ba25401480b8e733c247da5950a7d084 -Size: 139.43MB -Architecture: i686 -Public: no -Timestamps: - Created: 2016/03/15 00:00 UTC - Uploaded: 2016/03/16 05:50 UTC - Expires: 2017/04/26 00:00 UTC -Properties: - version: 12.04 - aliases: 12.04,p,precise - architecture: i386 - description: ubuntu 12.04 LTS i386 (release) (20160315) - label: release - os: ubuntu - release: precise - serial: 20160315 -Aliases: - - ubuntu -Auto update: enabled -Source: - Server: https://cloud-images.ubuntu.com/releases - Protocol: simplestreams - Alias: precise/i386 -``` - -##### Editing images - -A convenient way to edit image properties and some of the flags is to use: - -lxc image edit -This opens up your default text editor with something like this: - -autoupdate: true -properties: - aliases: 14.04,default,lts,t,trusty - architecture: amd64 - description: ubuntu 14.04 LTS amd64 (release) (20160314) - label: release - os: ubuntu - release: trusty - serial: "20160314" - version: "14.04" -public: false -You can change any property you want, turn auto-update on and off or mark an image as publicly available (more on that later). - -##### Deleting images - -Remove an image is a simple matter of running: - -``` -lxc image delete -``` - -Note that you don’t have to remove cached entries, those will automatically be removed by LXD after they expire (by default, after 10 days since they were last used). - -##### Exporting images - -If you want to get image tarballs from images currently in your image store, you can use “lxc image export”, like: - -``` -stgraber@dakara:~$ lxc image export old-ubuntu . -Output is in . -stgraber@dakara:~$ ls -lh *.tar.xz --rw------- 1 stgraber domain admins 656 Mar 30 00:55 meta-ubuntu-12.04-server-cloudimg-amd64-lxd.tar.xz --rw------- 1 stgraber domain admins 156M Mar 30 00:55 ubuntu-12.04-server-cloudimg-amd64-lxd.tar.xz -``` - -#### Image formats - -LXD right now supports two image layouts, unified or split. Both of those are effectively LXD-specific though the latter makes it easier to re-use the filesystem with other container or virtual machine runtimes. - -LXD being solely focused on system containers, doesn’t support any of the application container “standard” image formats out there, nor do we plan to. - -Our images are pretty simple, they’re made of a container filesystem, a metadata file describing things like when the image was made, when it expires, what architecture its for, … and optionally a bunch of file templates. - -See this document for up to date details on the [image format][1]. - -##### Unified image (single tarball) - -The unified image format is what LXD uses when generating images itself. They are a single big tarball, containing the container filesystem inside a “rootfs” directory, have the metadata.yaml file at the root of the tarball and any template goes into a “templates” directory. - -Any compression (or none at all) can be used for that tarball. The image hash is the sha256 of the resulting compressed tarball. - -##### Split image (two tarballs) - -This format is most commonly used by anyone rolling their own images and who already have a compressed filesystem tarball. - -They are made of two distinct tarball, the first contains just the metadata bits that LXD uses, so the metadata.yaml file at the root and any template in the “templates” directory. - -The second tarball contains only the container filesystem directly at its root. Most distributions already produce such tarballs as they are common for bootstrapping new machines. This image format allows re-using them unmodified. - -Any compression (or none at all) can be used for either tarball, they can absolutely use different compression algorithms. The image hash is the sha256 of the concatenation of the metadata and rootfs tarballs. - -##### Image metadata - -A typical metadata.yaml file looks something like: - -``` -architecture: "i686" -creation_date: 1458040200 -properties: - architecture: "i686" - description: "Ubuntu 12.04 LTS server (20160315)" - os: "ubuntu" - release: "precise" -templates: - /var/lib/cloud/seed/nocloud-net/meta-data: - when: - - start - template: cloud-init-meta.tpl - /var/lib/cloud/seed/nocloud-net/user-data: - when: - - start - template: cloud-init-user.tpl - properties: - default: | - #cloud-config - {} - /var/lib/cloud/seed/nocloud-net/vendor-data: - when: - - start - template: cloud-init-vendor.tpl - properties: - default: | - #cloud-config - {} - /etc/init/console.override: - when: - - create - template: upstart-override.tpl - /etc/init/tty1.override: - when: - - create - template: upstart-override.tpl - /etc/init/tty2.override: - when: - - create - template: upstart-override.tpl - /etc/init/tty3.override: - when: - - create - template: upstart-override.tpl - /etc/init/tty4.override: - when: - - create - template: upstart-override.tpl -``` - -##### Properties - -The two only mandatory fields are the creation date (UNIX EPOCH) and the architecture. Everything else can be left unset and the image will import fine. - -The extra properties are mainly there to help the user figure out what the image is about. The “description” property for example is what’s visible in “lxc image list”. The other properties can be used by the user to search for specific images using key/value search. - -Those properties can then be edited by the user through “lxc image edit” in contrast, the creation date and architecture fields are immutable. - -##### Templates - -The template mechanism allows for some files in the container to be generated or re-generated at some point in the container lifecycle. - -We use the pongo2 templating engine for those and we export just about everything we know about the container to the template. That way you can have custom images which use user-defined container properties or normal LXD properties to change the content of some specific files. - -As you can see in the example above, we’re using those in Ubuntu to seed cloud-init and to turn off some init scripts. - -### Creating your own images - -LXD being focused on running full Linux systems means that we expect most users to just use clean distribution images and not spin their own image. - -However there are a few cases where having your own images is useful. Such as having pre-configured images of your production servers or building your own images for a distribution or architecture that we don’t build images for. - -#### Turning a container into an image - -The easiest way by far to build an image with LXD is to just turn a container into an image. - -This can be done with: - -``` -lxc launch ubuntu:14.04 my-container -lxc exec my-container bash - -lxc publish my-container --alias my-new-image -``` - -You can even turn a past container snapshot into a new image: - -``` -lxc publish my-container/some-snapshot --alias some-image -``` - -#### Manually building an image - -Building your own image is also pretty simple. - -1. Generate a container filesystem. This entirely depends on the distribution you’re using. For Ubuntu and Debian, it would be by using debootstrap. -2. Configure anything that’s needed for the distribution to work properly in a container (if anything is needed). -3. Make a tarball of that container filesystem, optionally compress it. -4. Write a new metadata.yaml file based on the one described above. -5. Create another tarball containing that metadata.yaml file. -6. Import those two tarballs as a LXD image with: - ``` - lxc image import --alias some-name - ``` - -You will probably need to go through this a few times before everything works, tweaking things here and there, possibly adding some templates and properties. - -### Publishing your images - -All LXD daemons act as image servers. Unless told otherwise all images loaded in the image store are marked as private and so only trusted clients can retrieve those images, but should you want to make a public image server, all you have to do is tag a few images as public and make sure you LXD daemon is listening to the network. - -#### Just running a public LXD server - -The easiest way to share LXD images is to run a publicly visible LXD daemon. - -You typically do that by running: - -``` -lxc config set core.https_address "[::]:8443" -``` - -Remote users can then add your server as a public image server with: - -``` -lxc remote add --public -``` - -They can then use it just as they would any of the default image servers. As the remote server was added with “–public”, no authentication is required and the client is restricted to images which have themselves been marked as public. - -To change what images are public, just “lxc image edit” them and set the public flag to true. - -#### Use a static web server - -As mentioned above, “lxc image import” supports downloading from a static http server. The requirements are basically: - -* The server must support HTTPs with a valid certificate, TLS1.2 and EC ciphers -* When hitting the URL provided to “lxc image import”, the server must return an answer including the LXD-Image-Hash and LXD-Image-URL HTTP headers - -If you want to make this dynamic, you can have your server look for the LXD-Server-Architectures and LXD-Server-Version HTTP headers which LXD will provide when fetching the image. This allows you to return the right image for the server’s architecture. - -#### Build a simplestreams server - -The “ubuntu:” and “ubuntu-daily:” remotes aren’t using the LXD protocol (“images:” is), those are instead using a different protocol called simplestreams. - -simplestreams is basically an image server description format, using JSON to describe a list of products and files related to those products. - -It is used by a variety of tools like OpenStack, Juju, MAAS, … to find, download or mirror system images and LXD supports it as a native protocol for image retrieval. - -While certainly not the easiest way to start providing LXD images, it may be worth considering if your images can also be used by some of those other tools. - -More information can be found here. - -### Conclusion - -I hope this gave you a good idea of how LXD manages its images and how to build and distribute your own. The ability to have the exact same image easily available bit for bit on a bunch of globally distributed system is a big step up from the old LXC days and leads the way to more reproducible infrastructure. - -### Extra information - -The main LXD website is at: -Development happens on Github at: -Mailing-list support happens on: -IRC support happens in: #lxcontainers on irc.freenode.net - -And if you don’t want or can’t install LXD on your own machine, you can always [try it online instead][3]! - - --------------------------------------------------------------------------------- - -via: https://www.stgraber.org/2016/03/30/lxd-2-0-image-management-512/ - -作者:[Stéphane Graber][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: https://www.stgraber.org/author/stgraber/ -[0]: https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ -[1]: https://github.com/lxc/lxd/blob/master/doc/image-handling.md -[2]: https://launchpad.net/simplestreams -[3]: https://linuxcontainers.org/lxd/try-it - -原文:https://www.stgraber.org/2016/03/30/lxd-2-0-image-management-512/ diff --git a/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md b/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md index f1a0298775..dbfca7968d 100644 --- a/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md +++ b/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md @@ -379,12 +379,15 @@ LXD团队花费了几个月的时间来迭代我们使用的这些限制语言 实时的应用限制和继承配置文件,使其成为一种非常强大的工具,可以在不影响正在运行的服务的情况下实时管理服务器上的负载。 -### 额外的信息 +### 额外信息 -LXD主站: -Github上的页面: -邮件列表: -IRC:#lxcontainers on irc.freenode.net +LXD 的主站在: + +LXD 的 GitHub 仓库: + +LXD 的邮件列表: + +LXD 的 IRC 频道: #lxcontainers on irc.freenode.net 如果你不想在你的机器上安装LXD,你可以[在线尝试下][3] diff --git a/translated/tech/LXD/Part 5 - LXD 2.0--Image management.md b/translated/tech/LXD/Part 5 - LXD 2.0--Image management.md new file mode 100644 index 0000000000..505a5cbf0d --- /dev/null +++ b/translated/tech/LXD/Part 5 - LXD 2.0--Image management.md @@ -0,0 +1,473 @@ +LXD 2.0 系列(五):镜像管理 +====================================== + +这是 [LXD 2.0 系列介绍文章][0]的第五篇。 + +因为lxd容器管理有很多命令,因此这篇文章会很长。 如果你想要快速地浏览这些相同的命令,你可以[尝试下我们的在线演示][1]! + +![](https://linuxcontainers.org/static/img/containers.png) + +### 容器镜像 + +如果你以前使用过LXC,你可能还记得那些LXC“模板”,基本上都是导出一个容器文件系统以及一点配置的shell脚本。 + +大多数模板通过在本机上根据发行版自举来生成文件系统。这可能需要相当长的时间,并且无法在所有的发行版上可用,另外可能需要大量的网络带宽。 + +回到LXC 1.0,我写了一个“下载”模板,它允许用户下载预先打包的容器镜像,在中央服务器上的模板脚本生成,接着高度压缩、签名并通过https分发。我们很多用户从旧版生成容器切换到使用这种新的,更快更可靠的创建容器的方法。 + +使用LXD,我们通过全面的基于镜像的工作流程向前迈进了一步。所有容器都是从镜像创建的,我们在LXD中具有高级镜像缓存和预加载支持,以使镜像存储保持最新。 + +### 与LXD镜像交互 + +在更深入了解镜像格式之前,让我们快速了解下LXD可以让你做些什么。 + +#### 透明地导入镜像 + +所有的容器都是有镜像创建的。镜像可以来自一台远程服务器并使用它的完整hash、短hash或者别名拉取下来,但是最终每个LXD容器都是创建自一个本地镜像。 + +这有个例子: + +``` +lxc launch ubuntu:14.04 c1 +lxc launch ubuntu:75182b1241be475a64e68a518ce853e800e9b50397d2f152816c24f038c94d6e c2 +lxc launch ubuntu:75182b1241be c3 +``` + +所有这些引用相同的远程镜像(在写这篇文章时)在第一次运行其中之一时,远程镜像将作为缓存镜像导入本地LXD镜像存储,接着从中创建容器。 + +下一次运行其中一个命令时,LXD将只检查镜像是否仍然是最新的(当不是由指纹引用时),如果是,它将创建容器而不下载任何东西。 + +现在镜像被缓存在本地镜像存储中,你也可以从那里启动它,甚至不检查它是否是最新的: + +``` +lxc launch 75182b1241be c4 +``` + +最后,如果你有个名为“myimage”的本地镜像,你可以: + +``` +lxc launch my-image c5 +``` + +如果你想要改变一些自动缓存或者过期行为,在本系列之前的文章中有一些命令。 + +#### 手动导入镜像 + +##### 从镜像服务器中复制 + +如果你想复制远程某个镜像到你本地镜像存储但不立即从它创建一个容器,你可以使用“lxc image copy”命令。它可以让你调整一些镜像标志,比如: + +``` +lxc image copy ubuntu:14.04 local: +``` + +这只是简单地复制一个远程镜像到本地存储。 + +如果您想要通过比其指纹更容易的方式来记住你引用的镜像副本,则可以在复制时添加别名: + + +``` +lxc image copy ubuntu:12.04 local: --alias old-ubuntu +lxc launch old-ubuntu c6 +``` + +如果你想要使用源服务器上设置的别名,你可以要求LXD复制下来: + +lxc image copy ubuntu:15.10 local: --copy-aliases +lxc launch 15.10 c7 + +上面的副本都是一次性拷贝,也就是复制远程镜像的当前版本到本地镜像存储中。如果你想要LXD保持镜像最新,就像它缓存中存储的那样,你需要使用`–auto-update`标志: + +``` +lxc image copy images:gentoo/current/amd64 local: --alias gentoo --auto-update +``` + +##### 导入tarball + +如果某人给你提供了一个单独的tarball,你可以用下面的命令导入: + +``` +lxc image import +``` + +如果你想在导入时设置一个别名,你可以这么做: + +``` +lxc image import --alias random-image +``` + +现在如果你被给了有两个tarball,识别哪个含有LXD的元数据。通常可以通过tarball名称,如果不行就选择最小的那个,元数据tarball包是很小的。 然后将它们一起导入: + +``` +lxc image import +``` + +##### 从URL中导入 + +“lxc image import”也可以与指定的URL一起使用。如果你的一台https网络服务器的某个路径中有LXD-Image-URL和LXD-Image-Hash的标头设置,那么LXD就会把这个镜像拉到镜像存储中。 + +可以参照例子这么做: + +``` +lxc image import https://dl.stgraber.org/lxd --alias busybox-amd64 +``` + +当拉取镜像时,LXD还会设置一些标头,远程服务器可以检查它们以返回适当的镜像。 它们是LXD-Server-Architectures和LXD-Server-Version。 + +这意味着它可以是一个穷人的镜像服务器。 它可以使任何静态Web服务器提供一个用户友好的方式导入你的镜像。 + + +#### 管理本地镜像存储 + +现在我们本地已经有一些镜像了,让我们瞧瞧可以做些什么。我们已经涵盖了最主要的部分,从它们来创建容器,但是你还可以在本地镜像存储上做更多。 + +##### 列出镜像 + +要列出所有的镜像,运行“lxc image list”: + +``` +stgraber@dakara:~$ lxc image list ++---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ +| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | ++---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ +| alpine-32 | 6d9c131efab3 | yes | Alpine edge (i386) (20160329_23:52) | i686 | 2.50MB | Mar 30, 2016 at 4:36am (UTC) | ++---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ +| busybox-amd64 | 74186c79ca2f | no | Busybox x86_64 | x86_64 | 0.79MB | Mar 30, 2016 at 4:33am (UTC) | ++---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ +| gentoo | 1a134c5951e0 | no | Gentoo current (amd64) (20160329_14:12) | x86_64 | 232.50MB | Mar 30, 2016 at 4:34am (UTC) | ++---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ +| my-image | c9b6e738fae7 | no | Scientific Linux 6 x86_64 (default) (20160215_02:36) | x86_64 | 625.34MB | Mar 2, 2016 at 4:56am (UTC) | ++---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ +| old-ubuntu | 4d558b08f22f | no | ubuntu 12.04 LTS amd64 (release) (20160315) | x86_64 | 155.09MB | Mar 30, 2016 at 4:30am (UTC) | ++---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ +| w (11 more) | d3703a994910 | no | ubuntu 15.10 amd64 (release) (20160315) | x86_64 | 153.35MB | Mar 30, 2016 at 4:31am (UTC) | ++---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ +| | 75182b1241be | no | ubuntu 14.04 LTS amd64 (release) (20160314) | x86_64 | 118.17MB | Mar 30, 2016 at 4:27am (UTC) | ++---------------+--------------+--------+------------------------------------------------------+--------+----------+------------------------------+ +``` + +你可以通过别名或者指纹来过滤: + +``` +stgraber@dakara:~$ lxc image list amd64 ++---------------+--------------+--------+-----------------------------------------+--------+----------+------------------------------+ +| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | ++---------------+--------------+--------+-----------------------------------------+--------+----------+------------------------------+ +| busybox-amd64 | 74186c79ca2f | no | Busybox x86_64 | x86_64 | 0.79MB | Mar 30, 2016 at 4:33am (UTC) | ++---------------+--------------+--------+-----------------------------------------+--------+----------+------------------------------+ +| w (11 more) | d3703a994910 | no | ubuntu 15.10 amd64 (release) (20160315) | x86_64 | 153.35MB | Mar 30, 2016 at 4:31am (UTC) | ++---------------+--------------+--------+-----------------------------------------+--------+----------+------------------------------+ +``` + +或者指定一个镜像属性中的键值对来过滤: + +``` +stgraber@dakara:~$ lxc image list os=ubuntu ++-------------+--------------+--------+---------------------------------------------+--------+----------+------------------------------+ +| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | ++-------------+--------------+--------+---------------------------------------------+--------+----------+------------------------------+ +| old-ubuntu | 4d558b08f22f | no | ubuntu 12.04 LTS amd64 (release) (20160315) | x86_64 | 155.09MB | Mar 30, 2016 at 4:30am (UTC) | ++-------------+--------------+--------+---------------------------------------------+--------+----------+------------------------------+ +| w (11 more) | d3703a994910 | no | ubuntu 15.10 amd64 (release) (20160315) | x86_64 | 153.35MB | Mar 30, 2016 at 4:31am (UTC) | ++-------------+--------------+--------+---------------------------------------------+--------+----------+------------------------------+ +| | 75182b1241be | no | ubuntu 14.04 LTS amd64 (release) (20160314) | x86_64 | 118.17MB | Mar 30, 2016 at 4:27am (UTC) | ++-------------+--------------+--------+---------------------------------------------+--------+----------+------------------------------+ +``` + +要了解所有镜像的信息,你可以使用“lxc image info”: + +``` +stgraber@castiana:~$ lxc image info ubuntu +Fingerprint: e8a33ec326ae7dd02331bd72f5d22181ba25401480b8e733c247da5950a7d084 +Size: 139.43MB +Architecture: i686 +Public: no +Timestamps: + Created: 2016/03/15 00:00 UTC + Uploaded: 2016/03/16 05:50 UTC + Expires: 2017/04/26 00:00 UTC +Properties: + version: 12.04 + aliases: 12.04,p,precise + architecture: i386 + description: ubuntu 12.04 LTS i386 (release) (20160315) + label: release + os: ubuntu + release: precise + serial: 20160315 +Aliases: + - ubuntu +Auto update: enabled +Source: + Server: https://cloud-images.ubuntu.com/releases + Protocol: simplestreams + Alias: precise/i386 +``` + +##### 编辑镜像 + +一个编辑镜像的属性和标志的简单方法是使用: + +``` +lxc image edit +``` + +这会打开默认文本编辑器,内容像这样: + +``` +autoupdate: true +properties: + aliases: 14.04,default,lts,t,trusty + architecture: amd64 + description: ubuntu 14.04 LTS amd64 (release) (20160314) + label: release + os: ubuntu + release: trusty + serial: "20160314" + version: "14.04" +public: false +``` + +你可以修改任何属性,打开或者关闭自动更新,后者标记一个镜像是公共的(以后还有更多) + +##### 删除镜像 + +删除镜像只需要运行: + +``` +lxc image delete +``` + +注意你不必移除缓存对象,它们会在过期后被LXD自动移除(默认上,在最后一次使用的10天后)。 + +##### 导出镜像 + +如果你想得到目前镜像的tarball,你可以使用“lxc image export”,像这样: + +``` +stgraber@dakara:~$ lxc image export old-ubuntu . +Output is in . +stgraber@dakara:~$ ls -lh *.tar.xz +-rw------- 1 stgraber domain admins 656 Mar 30 00:55 meta-ubuntu-12.04-server-cloudimg-amd64-lxd.tar.xz +-rw------- 1 stgraber domain admins 156M Mar 30 00:55 ubuntu-12.04-server-cloudimg-amd64-lxd.tar.xz +``` + +#### 镜像格式 + +LXD现在支持两种镜像布局,unified或者split。这两者都是有效的LXD格式,虽然后者在与其他容器或虚拟机一起运行时更容易重新使用文件系统。 + +LXD专注于系统容器,不支持任何应用程序容器的“标准”镜像格式,我们也不打算这么做。 + +我们的镜像很简单,它们是由容器文件系统,以及包含了镜像制作时间、到期时间、什么架构,以及可选的一堆文件模板的元数据文件组成。 + +有关[镜像格式][1]的最新详细信息,请参阅此文档。 + +##### unified镜像 (一个tarball) + +unified镜像格式是LXD在生成镜像时使用的格式。它们是一个单独的大型tarball,包含“rootfs”目录的容器文件系统,在tarball根目录下有metadata.yaml文件,任何模板都进入“templates”目录。 + +tarball可以用任何方式压缩(或者不压缩)。镜像散列是压缩后的tarball的sha256。 + + +##### Split镜像 (两个tarball) + +这种格式最常用于滚动更新镜像以及某人已经有了一个压缩文件系统tarball。 + +它们由两个不同的tarball组成,第一个只包含LXD使用的元数据,因此metadata.yaml文件在根目录,任何模板都在“templates”目录。 + +第二个tarball只包含直接位于其根目录下的容器文件系统。大多数发行版已经有这样的tarball,因为它们常用于引导新机器。 此镜像格式允许不修改重新使用。 + +两个tarball都可以压缩(或者不压缩),它们可以使用不同的压缩算法。 镜像散列是元数据和rootfs tarball结合的sha256。 + +##### 镜像元数据 + +典型的metadata.yaml文件看起来像这样: + +``` +architecture: "i686" +creation_date: 1458040200 +properties: + architecture: "i686" + description: "Ubuntu 12.04 LTS server (20160315)" + os: "ubuntu" + release: "precise" +templates: + /var/lib/cloud/seed/nocloud-net/meta-data: + when: + - start + template: cloud-init-meta.tpl + /var/lib/cloud/seed/nocloud-net/user-data: + when: + - start + template: cloud-init-user.tpl + properties: + default: | + #cloud-config + {} + /var/lib/cloud/seed/nocloud-net/vendor-data: + when: + - start + template: cloud-init-vendor.tpl + properties: + default: | + #cloud-config + {} + /etc/init/console.override: + when: + - create + template: upstart-override.tpl + /etc/init/tty1.override: + when: + - create + template: upstart-override.tpl + /etc/init/tty2.override: + when: + - create + template: upstart-override.tpl + /etc/init/tty3.override: + when: + - create + template: upstart-override.tpl + /etc/init/tty4.override: + when: + - create + template: upstart-override.tpl +``` + +##### 属性 + +两个唯一的必填字段是“creation date”(UNIX EPOCH)和“architecture”。 其他都可以保持未设置,镜像就可以正常地导入。 + +额外的属性主要是帮助用户弄清楚镜像是什么。 例如“description”属性是在“lxc image list”中可见的。 用户可以使用其他属性的键/值对来搜索特定镜像。 + +相反,这些属性用户可以通过“lxc image edit”来编辑,“creation date”和“architecture”字段是不可变的。 + +##### 模板 + +模板机制允许在容器生命周期中的某一点生成或重新生成容器中的一些文件。 + +我们使用pongo2模板引擎来做这些,我们将所有我们知道的容器导出到模板。 这样,你可以使用用户定义的容器属性或常规LXD属性的自定义镜像来更改某些特定文件的内容。 + +正如你在上面的例子中看到的,我们使用在Ubuntu中的模板找出cloud-init并关闭一些init脚本。 + +### 创建你的镜像 + +LXD专注于运行完整的Linux系统,这意味着我们期望大多数用户只使用干净的发行版镜像,而不是只用自己的镜像。 + +但是有一些情况下,你有自己的镜像是有用的。 例如生产服务器上的预配置镜像,或者构建那些我们没有构建的发行版或者架构的镜像。 + +#### 将容器变成镜像 + +目前使用LXD构造镜像最简单的方法是将容器变成镜像。 + +可以这么做 + +``` +lxc launch ubuntu:14.04 my-container +lxc exec my-container bash + +lxc publish my-container --alias my-new-image +``` + +你甚至可以将一个容器过去的snapshot变成镜像: + +``` +lxc publish my-container/some-snapshot --alias some-image +``` + +#### 手动构建镜像 + +构建你自己的镜像也很简单。 + +1.生成容器文件系统。 这完全取决于你使用的发行版。 对于Ubuntu和Debian,它将用于启动。 +2.配置容器中正常工作所需的任何东西(如果需要任何东西)。 +3.制作该容器文件系统的tarball,可选择压缩它。 +4.根据上面描述的内容写一个新的metadata.yaml文件。 +5.创建另一个包含metadata.yaml文件的压缩包。 +6.用下面的命令导入这两个tarball作为LXD镜像: + ``` + lxc image import --alias some-name + ``` + +正常工作前你可能需要经历几次这样的工作,调整这里或那里,可能会添加一些模板和属性。 + +### 发布你的镜像 + +所有LXD守护程序都充当镜像服务器。除非另有说明,否则加载到镜像存储中的所有镜像都会被标记为私有,因此只有受信任的客户端可以检索这些镜像,但是如果要创建公共镜像服务器,你需要做的是将一些镜像标记为公开,并确保你的LXD守护进程监听网络。 + +#### 只运行LXD公共服务器 + +最简单的共享镜像的方式是运行一个公共的LXD守护进程。 + +你只要运行: + +``` +lxc config set core.https_address "[::]:8443" +``` + +远程用户就可以添加你的服务器作为公共服务器: + +``` +lxc remote add --public +``` + +他们就可以像任何默认的镜像服务器一样使用它们。 由于远程服务器添加了“-public”,因此不需要身份验证,并且客户端仅限于使用已标记为public的镜像。 + +要将镜像设置成公共的,只需“lxc image edit”它们,并将public标志设置为true。 + +#### 使用一台静态web服务器 + +如上所述,“lxc image import”支持从静态http服务器下载。 基本要求是: + +*服务器必须支持具有有效证书的HTTPS,TLS1.2和EC密钥 +*当点击“lxc image import”提供的URL时,服务器必须返回一个包含LXD-Image-Hash和LXD-Image-URL的HTTP标头。 + +如果你想使它动态化,你可以让你的服务器查找LXD在请求镜像中发送的LXD-Server-Architectures和LXD-Server-Version的HTTP头。 这可以让你返回架构正确的镜像。 + +#### 构建一个简单流服务器 + +“ubuntu:”和“ubuntu-daily:”在远端不使用LXD协议(“images:”是的),而是使用不同的协议称为简单流。 + +简单流基本上是一个镜像服务器的描述格式,使用JSON来描述产品以及相关产品的文件列表。 + +它被各种工具,如OpenStack,Juju,MAAS等用来查找,下载或者做镜像系统,LXD将它作为原生协议支持用于镜像检索。 + +虽然的确不是提供LXD镜像的最简单的方法,但是如果你的镜像也被其他一些工具使用,那这也许值得考虑一下。 + +更多信息可以在这里找到。 + +### 总结 + +我希望关于如何使用LXD管理镜像以及构建和发布镜像这点给你提供了一个好点子。对于以前的LXC而言可以在一组全球分布式系统上得到完全相同的镜像是一个很大的进步,并且让将来的道路更加可复制。 + + +### 额外信息 + +LXD 的主站在: + +LXD 的 GitHub 仓库: + +LXD 的邮件列表: + +LXD 的 IRC 频道: #lxcontainers on irc.freenode.net + +如果你不想或者不能在你的机器上安装 LXD ,你可以在 web 上[试试在线版的 LXD][3] 。 + + +-------------------------------------------------------------------------------- + +via: https://www.stgraber.org/2016/03/30/lxd-2-0-image-management-512/ + +作者:[Stéphane Graber][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://www.stgraber.org/author/stgraber/ +[0]: https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ +[1]: https://github.com/lxc/lxd/blob/master/doc/image-handling.md +[2]: https://launchpad.net/simplestreams +[3]: https://linuxcontainers.org/lxd/try-it + +原文:https://www.stgraber.org/2016/03/30/lxd-2-0-image-management-512/ From 300a3dc6fe592dfc5d051f541fb036486493c550 Mon Sep 17 00:00:00 2001 From: geekpi Date: Wed, 28 Dec 2016 08:59:32 +0800 Subject: [PATCH 025/181] translating --- .../Part 6 - LXD 2.0--Remote hosts and container migration.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md b/sources/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md index 2b1d503cc4..18cbd6b3d3 100644 --- a/sources/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md +++ b/sources/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md @@ -1,3 +1,5 @@ +translating---geekpi + Part 6 - LXD 2.0: Remote hosts and container migration ======================================================= From 86e2a93b311f587d59e3aa336af34c86c268d8fa Mon Sep 17 00:00:00 2001 From: geekpi Date: Wed, 28 Dec 2016 09:56:06 +0800 Subject: [PATCH 026/181] translated --- ...0--Remote hosts and container migration.md | 211 ----------------- ...0--Remote hosts and container migration.md | 216 ++++++++++++++++++ 2 files changed, 216 insertions(+), 211 deletions(-) delete mode 100644 sources/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md create mode 100644 translated/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md diff --git a/sources/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md b/sources/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md deleted file mode 100644 index 18cbd6b3d3..0000000000 --- a/sources/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md +++ /dev/null @@ -1,211 +0,0 @@ -translating---geekpi - -Part 6 - LXD 2.0: Remote hosts and container migration -======================================================= - -This is the third blog post [in this series about LXD 2.0][0]. - -![](https://linuxcontainers.org/static/img/containers.png) - -### Remote protocols - -LXD 2.0 supports two protocols: - -* LXD 1.0 API: That’s the REST API used between the clients and a LXD daemon as well as between LXD daemons when copying/moving images and containers. -* Simplestreams: The Simplestreams protocol is a read-only, image-only protocol used by both the LXD client and daemon to get image information and import images from some public image servers (like the Ubuntu images). - -Everything below will be using the first of those two. - -### Security - -Authentication for the LXD API is done through client certificate authentication over TLS 1.2 using recent ciphers. When two LXD daemons must exchange information directly, a temporary token is generated by the source daemon and transferred through the client to the target daemon. This token may only be used to access a particular stream and is immediately revoked so cannot be re-used. - -To avoid Man In The Middle attacks, the client tool also sends the certificate of the source server to the target. That means that for a particular download operation, the target server is provided with the source server URL, a one-time access token for the resource it needs and the certificate that the server is supposed to be using. This prevents MITM attacks and only give temporary access to the object of the transfer. - -### Network requirements - -LXD 2.0 uses a model where the target of an operation (the receiving end) is connecting directly to the source to fetch the data. - -This means that you must ensure that the target server can connect to the source directly, updating any needed firewall along the way. - -We have [a plan][1] to allow this to be reversed and also to allow proxying through the client itself for those rare cases where draconian firewalls are preventing any communication between the two hosts. - -### Interacting with remote hosts - -Rather than having our users have to always provide hostname or IP addresses and then validating certificate information whenever they want to interact with a remote host, LXD is using the concept of “remotes”. - -By default, the only real LXD remote configured is “local:” which also happens to be the default remote (so you don’t have to type its name). The local remote uses the LXD REST API to talk to the local daemon over a unix socket. - -### Adding a remote - -Say you have two machines with LXD installed, your local machine and a remote host that we’ll call “foo”. - -First you need to make sure that “foo” is listening to the network and has a password set, so get a remote shell on it and run: - -``` -lxc config set core.https_address [::]:8443 -lxc config set core.trust_password something-secure -``` - -Now on your local LXD, we just need to make it visible to the network so we can transfer containers and images from it: - -lxc config set core.https_address [::]:8443 -Now that the daemon configuration is done on both ends, you can add “foo” to your local client with: - -``` -lxc remote add foo 1.2.3.4 -``` - -(replacing 1.2.3.4 by your IP address or FQDN) - -You’ll see something like this: - -``` -stgraber@dakara:~$ lxc remote add foo 2607:f2c0:f00f:2770:216:3eff:fee1:bd67 -Certificate fingerprint: fdb06d909b77a5311d7437cabb6c203374462b907f3923cefc91dd5fce8d7b60 -ok (y/n)? y -Admin password for foo: -Client certificate stored at server: foo -``` - -You can then list your remotes and you’ll see “foo” listed there: - -``` -stgraber@dakara:~$ lxc remote list -+-----------------+-------------------------------------------------------+---------------+--------+--------+ -| NAME | URL | PROTOCOL | PUBLIC | STATIC | -+-----------------+-------------------------------------------------------+---------------+--------+--------+ -| foo | https://[2607:f2c0:f00f:2770:216:3eff:fee1:bd67]:8443 | lxd | NO | NO | -+-----------------+-------------------------------------------------------+---------------+--------+--------+ -| images | https://images.linuxcontainers.org:8443 | lxd | YES | NO | -+-----------------+-------------------------------------------------------+---------------+--------+--------+ -| local (default) | unix:// | lxd | NO | YES | -+-----------------+-------------------------------------------------------+---------------+--------+--------+ -| ubuntu | https://cloud-images.ubuntu.com/releases | simplestreams | YES | YES | -+-----------------+-------------------------------------------------------+---------------+--------+--------+ -| ubuntu-daily | https://cloud-images.ubuntu.com/daily | simplestreams | YES | YES | -+-----------------+-------------------------------------------------------+---------------+--------+--------+ -``` - -### Interacting with it - -Ok, so we have a remote server defined, what can we do with it now? - -Well, just about everything you saw in the posts until now, the only difference being that you must tell LXD what host to run against. - -For example: - -``` -lxc launch ubuntu:14.04 c1 -``` - -Will run on the default remote (“lxc remote get-default”) which is your local host. - -``` -lxc launch ubuntu:14.04 foo:c1 -``` - -Will instead run on foo. - -Listing running containers on a remote host can be done with: - -``` -stgraber@dakara:~$ lxc list foo: -+------+---------+---------------------+-----------------------------------------------+------------+-----------+ -| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | -+------+---------+---------------------+-----------------------------------------------+------------+-----------+ -| c1 | RUNNING | 10.245.81.95 (eth0) | 2607:f2c0:f00f:2770:216:3eff:fe43:7994 (eth0) | PERSISTENT | 0 | -+------+---------+---------------------+-----------------------------------------------+------------+-----------+ -``` - -One thing to keep in mind is that you have to specify the remote host for both images and containers. So if you have a local image called “my-image” on “foo” and want to create a container called “c2” from it, you have to run: - -``` -lxc launch foo:my-image foo:c2 -``` - -Finally, getting a shell into a remote container works just as you would expect: - -``` -lxc exec foo:c1 bash -``` - -### Copying containers - -Copying containers between hosts is as easy as it sounds: - -``` -lxc copy foo:c1 c2 -``` -And you’ll have a new local container called “c2” created from a copy of the remote “c1” container. This requires “c1” to be stopped first, but you could just copy a snapshot instead and do it while the source container is running: - -``` -lxc snapshot foo:c1 current -lxc copy foo:c1/current c3 -``` - -### Moving containers - -Unless you’re doing live migration (which will be covered in a later post), you have to stop the source container prior to moving it, after which everything works as you’d expect. - -``` -lxc stop foo:c1 -lxc move foo:c1 local: -``` - -This example is functionally identical to: - -``` -lxc stop foo:c1 -lxc move foo:c1 c1 -``` - -### How this all works - -Interactions with remote containers work as you would expect, rather than using the REST API over a local Unix socket, LXD just uses the exact same API over a remote HTTPS transport. - -Where it gets a bit trickier is when interaction between two daemons must occur, as is the case for copy and move. - -In those cases the following happens: - -1. The user runs “lxc move foo:c1 c1”. -2. The client contacts the local: remote to check for an existing “c1” container. -3. The client fetches container information from “foo”. -4. The client requests a migration token from the source “foo” daemon. -5. The client sends that migration token as well as the source URL and “foo”‘s certificate to the local LXD daemon alongside the container configuration and devices. -6. The local LXD daemon then connects directly to “foo” using the provided token - A. It connects to a first control websocket - B. It negotiates the filesystem transfer protocol (zfs send/receive, btrfs send/receive or plain rsync) - C. If available locally, it unpacks the image which was used to create the source container. This is to avoid needless data transfer. - D. It then transfers the container and any of its snapshots as a delta. -7. If succesful, the client then instructs “foo” to delete the source container. - -### Try all this online - -Don’t have two machines to try remote interactions and moving/copying containers? - -That’s okay, you can test it all online using our [demo service][2]. -The included step-by-step walkthrough even covers it! - -### Extra information - -The main LXD website is at: -Development happens on Github at: -Mailing-list support happens on: -IRC support happens in: #lxcontainers on irc.freenode.net - - --------------------------------------------------------------------------------- - -via: https://www.stgraber.org/2016/03/19/lxd-2-0-your-first-lxd-container-312/ - -作者:[Stéphane Graber][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: https://www.stgraber.org/author/stgraber/ -[0]: https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ -[1]: https://github.com/lxc/lxd/issues/553 -[2]: https://linuxcontainers.org/lxd/try-it/ diff --git a/translated/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md b/translated/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md new file mode 100644 index 0000000000..17cef78ae9 --- /dev/null +++ b/translated/tech/LXD/Part 6 - LXD 2.0--Remote hosts and container migration.md @@ -0,0 +1,216 @@ +LXD 2.0 系列(六):远程主机及容器迁移 +====================================== + +这是 [LXD 2.0 系列介绍文章][0]的第六篇。 + +![](https://linuxcontainers.org/static/img/containers.png) + +### 远程协议 + +LXD 2.0 支持两种协议: + +* LXD 1.0 API:这是在客户端和LXD守护进程之间使用的REST API,以及在复制/移动镜像和容器时在LXD守护进程之间使用的REST API。 +* Simplestreams:Simplestreams协议是LXD客户端和守护进程使用的只读、只有镜像的协议,以获取镜像信息以及从一些公共镜像服务器(如Ubuntu镜像)导入镜像。 + +以下所有内容都将使用这两个协议中的第一个。 + +### 安全 + +LXD API的验证是通过使用最近的密钥通过TLS 1.2的客户端证书验证。 当两个LXD守护程序必须直接交换信息时,源守护程序生成一个临时令牌,并通过客户端传输到目标守护程序。 此令牌仅可用于访问特定流,并且立即被撤销,因此不能重新使用。 + +为了避免中间人攻击,客户端工具还将源服务器的证书发送到目标。 这意味着对于特定的下载操作,目标服务器会被提供源服务器的URL、需要的资源的一次性访问令牌以及服务器应该使用的证书。 这可以防止MITM攻击,并且只允许临时访问传输对象。 + +### 网络需求 + +LXD 2.0使用一种模型,它其中操作的目标(接收端)直接连接到源以获取数据。 + +这意味着你必须确保目标服务器可以直接连接到源、可以更新任何所需的防火墙。 + +我们有个[允许反向连接的计划][1],允许通过客户端本身代理以应对那些严格的防火墙阻止两台主机之间通信的罕见情况。 + +### 与远程主机交互 + +LXD使用的是“remotes”的概念,而不是让我们的用户总是提供主机名或IP地址,然后在他们想要与远程主机交互时验证证书信息。 + +默认情况下,唯一真正的LXD远程配置是“local:”,这也是默认远程(所以你不必输入它的名称)。本地远程使用LXD REST API通过unix套接字与本地守护进程通信。 + +### 添加一台远程主机 + +假设你已经有两台装有LXD的机器,你的本机以及远程那台我们称为“foo”的主机。 + +首先你需要确保“foo”正在监听网络,并设置了一个密码,因此在远程shell上运行: + +``` +lxc config set core.https_address [::]:8443 +lxc config set core.trust_password something-secure +``` + +在你本地LXD上,你需要使它对网络可见,这样我们可以从它传输容器和镜像: + +``` +lxc config set core.https_address [::]:8443 +``` + +现在守护进程的配置已经在两段完成了,你可以添加“foo”到你的本地客户端: + +``` +lxc remote add foo 1.2.3.4 +``` + +(将 1.2.3.4 替换成你的IP或者FQDN) + +看上去像这样: + +``` +stgraber@dakara:~$ lxc remote add foo 2607:f2c0:f00f:2770:216:3eff:fee1:bd67 +Certificate fingerprint: fdb06d909b77a5311d7437cabb6c203374462b907f3923cefc91dd5fce8d7b60 +ok (y/n)? y +Admin password for foo: +Client certificate stored at server: foo +``` + +你接着可以列出远端服务器,你可以在列表中看到“foo”: + +``` +stgraber@dakara:~$ lxc remote list ++-----------------+-------------------------------------------------------+---------------+--------+--------+ +| NAME | URL | PROTOCOL | PUBLIC | STATIC | ++-----------------+-------------------------------------------------------+---------------+--------+--------+ +| foo | https://[2607:f2c0:f00f:2770:216:3eff:fee1:bd67]:8443 | lxd | NO | NO | ++-----------------+-------------------------------------------------------+---------------+--------+--------+ +| images | https://images.linuxcontainers.org:8443 | lxd | YES | NO | ++-----------------+-------------------------------------------------------+---------------+--------+--------+ +| local (default) | unix:// | lxd | NO | YES | ++-----------------+-------------------------------------------------------+---------------+--------+--------+ +| ubuntu | https://cloud-images.ubuntu.com/releases | simplestreams | YES | YES | ++-----------------+-------------------------------------------------------+---------------+--------+--------+ +| ubuntu-daily | https://cloud-images.ubuntu.com/daily | simplestreams | YES | YES | ++-----------------+-------------------------------------------------------+---------------+--------+--------+ +``` + +### 与它交互 + +好了,所以我们已经有了一台定义好的远程服务器,我们现在可以做些什么? + +好了,就如你看到现在的,唯一的不同是你不许告诉LXD要哪台主机运行。 + +比如: + +``` +lxc launch ubuntu:14.04 c1 +``` + +它会在默认主机(“lxc remote get-default”)也就是你的本机上运行。 + +``` +lxc launch ubuntu:14.04 foo:c1 +``` + +这个会在foo上运行。 + +列出远程主机正在运行的容器可以这么做: + +``` +stgraber@dakara:~$ lxc list foo: ++------+---------+---------------------+-----------------------------------------------+------------+-----------+ +| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | ++------+---------+---------------------+-----------------------------------------------+------------+-----------+ +| c1 | RUNNING | 10.245.81.95 (eth0) | 2607:f2c0:f00f:2770:216:3eff:fe43:7994 (eth0) | PERSISTENT | 0 | ++------+---------+---------------------+-----------------------------------------------+------------+-----------+ +``` + +你要记住的一件事是你需要在远程主机上同时指定镜像和容器。因此如果你在“foo”上有一个“my-image”的镜像,并且希望从它创建一个“c2”的容器,你需要运行: + +``` +lxc launch foo:my-image foo:c2 +``` + +最后,就如你希望的那样得到一个远程容器的shell: + +``` +lxc exec foo:c1 bash +``` + +### 复制容器 + +在两台主机间复制容器就如它听上去那样简单: + +``` +lxc copy foo:c1 c2 +``` + +你会有一个新的从远程“c1”复制过来的本地“c2”容器。这需要停止“c1”容器,但是你可以在运行的时候只复制一个快照: + +``` +lxc snapshot foo:c1 current +lxc copy foo:c1/current c3 +``` + +### 移动容器 + +除非你在做实时更新(将会在之后的文章中覆盖),不然你需要在移动前先停止容器,接着就会如你预料的那样。 + +``` +lxc stop foo:c1 +lxc move foo:c1 local: +``` + +这个例子等同于: + +``` +lxc stop foo:c1 +lxc move foo:c1 c1 +``` + +### 这些如何工作 + +正如你期望的那样, 与远程容器的交互时LXD只使用完全相同的HTTPS传输的API,而不是通过本地Unix套接字使用REST API。 + +当两个守护程序之间交互时会变得有些棘手,如复制和移动的情况。 + +有有以下这些情况: + +1.用户运行“lxc move foo:c1 c1”。 +2.客户端联系本地:远程以检查现有的“c1”容器。 +3.客户端从“foo”获取容器信息。 +4.客户端从源“foo”守护程序请求迁移令牌。 +5.客户端将迁移令牌以及源URL和“foo”证书发送到本地LXD守护程序以及容器配置和周围设备。 +6.然后本地LXD守护程序使用提供的令牌直接连接到“foo” +  A.它连接到第一个控制websocket +  B.它协商文件系统传输协议(zfs发送/接收,btrfs发送/接收或者纯rsync) +  C.如果在本地可用,它会解压用于创建源容器的镜像。这是为了避免不必要的数据传输。 +  D.然后它会将容器及其任何快照作为增量传输。 +7.如果成功,客户端会命令“foo”删除源容器。 + +### 在线尝试 + +没有两台机器来尝试远端交互和复制/移动容器? + +没有问题,你可以使用我们的[demo服务][2]。 +这里甚至还包括了一步步的指导! + +### 额外信息 + +LXD 的主站在: + +LXD 的 GitHub 仓库: + +LXD 的邮件列表: + +LXD 的 IRC 频道: #lxcontainers on irc.freenode.net + + +-------------------------------------------------------------------------------- + +via: https://www.stgraber.org/2016/03/19/lxd-2-0-your-first-lxd-container-312/ + +作者:[Stéphane Graber][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://www.stgraber.org/author/stgraber/ +[0]: https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ +[1]: https://github.com/lxc/lxd/issues/553 +[2]: https://linuxcontainers.org/lxd/try-it/ From 23d8225f721790591943102897235f0aa46b20bc Mon Sep 17 00:00:00 2001 From: geekpi Date: Wed, 28 Dec 2016 09:58:21 +0800 Subject: [PATCH 027/181] translating --- sources/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md b/sources/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md index 8f32e4646a..4e305c04de 100644 --- a/sources/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md +++ b/sources/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md @@ -1,3 +1,5 @@ +translating---geekpi + Part 7 - LXD 2.0: Docker in LXD ================================== From ee0713f39f129c7ac85a702f32c652ec9f98d4e0 Mon Sep 17 00:00:00 2001 From: geekpi Date: Wed, 28 Dec 2016 10:21:58 +0800 Subject: [PATCH 028/181] translated --- .../LXD/Part 7 - LXD 2.0--Docker in LXD.md | 147 ----------------- .../LXD/Part 7 - LXD 2.0--Docker in LXD.md | 148 ++++++++++++++++++ 2 files changed, 148 insertions(+), 147 deletions(-) delete mode 100644 sources/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md create mode 100644 translated/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md diff --git a/sources/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md b/sources/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md deleted file mode 100644 index 4e305c04de..0000000000 --- a/sources/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md +++ /dev/null @@ -1,147 +0,0 @@ -translating---geekpi - -Part 7 - LXD 2.0: Docker in LXD -================================== - -This is the seventh blog post [in this series about LXD 2.0][0]. - -![](https://linuxcontainers.org/static/img/containers.png) - -### Why run Docker inside LXD - -As I briefly covered in the [first post of this series][1], LXD’s focus is system containers. That is, we run a full unmodified Linux distribution inside our containers. LXD for all intent and purposes doesn’t care about the workload running in the container. It just sets up the container namespaces and security policies, then spawns /sbin/init and waits for the container to stop. - -Application containers such as those implemented by Docker or Rkt are pretty different in that they are used to distribute applications, will typically run a single main process inside them and be much more ephemeral than a LXD container. - -Those two container types aren’t mutually exclusive and we certainly see the value of using Docker containers to distribute applications. That’s why we’ve been working hard over the past year to make it possible to run Docker inside LXD. - -This means that with Ubuntu 16.04 and LXD 2.0, you can create containers for your users who will then be able to connect into them just like a normal Ubuntu system and then run Docker to install the services and applications they want. - -### Requirements - -There are a lot of moving pieces to make all of this working and we got it all included in Ubuntu 16.04: - -- A kernel with CGroup namespace support (4.4 Ubuntu or 4.6 mainline) -- LXD 2.0 using LXC 2.0 and LXCFS 2.0 -- A custom version of Docker (or one built with all the patches that we submitted) -- A Docker image which behaves when confined by user namespaces, or alternatively make the parent LXD container a privileged container (security.privileged=true) - -### Running a basic Docker workload - -Enough talking, lets run some Docker containers! - -First of all, you need an Ubuntu 16.04 container which you can get with: - -``` -lxc launch ubuntu-daily:16.04 docker -p default -p docker -``` - -The “-p default -p docker” instructs LXD to apply both the “default” and “docker” profiles to the container. The default profile contains the basic network configuration while the docker profile tells LXD to load a few required kernel modules and set up some mounts for the container. The docker profile also enables container nesting. - -Now lets make sure the container is up to date and install docker: - -``` -lxc exec docker -- apt update -lxc exec docker -- apt dist-upgrade -y -lxc exec docker -- apt install docker.io -y -``` - -And that’s it! You’ve got Docker installed and running in your container. -Now lets start a basic web service made of two Docker containers: - -``` -stgraber@dakara:~$ lxc exec docker -- docker run --detach --name app carinamarina/hello-world-app -Unable to find image 'carinamarina/hello-world-app:latest' locally -latest: Pulling from carinamarina/hello-world-app -efd26ecc9548: Pull complete -a3ed95caeb02: Pull complete -d1784d73276e: Pull complete -72e581645fc3: Pull complete -9709ddcc4d24: Pull complete -2d600f0ec235: Pull complete -c4cf94f61cbd: Pull complete -c40f2ab60404: Pull complete -e87185df6de7: Pull complete -62a11c66eb65: Pull complete -4c5eea9f676d: Pull complete -498df6a0d074: Pull complete -Digest: sha256:6a159db50cb9c0fbe127fb038ed5a33bb5a443fcdd925ec74bf578142718f516 -Status: Downloaded newer image for carinamarina/hello-world-app:latest -c8318f0401fb1e119e6c5bb23d1e706e8ca080f8e44b42613856ccd0bf8bfb0d - -stgraber@dakara:~$ lxc exec docker -- docker run --detach --name web --link app:helloapp -p 80:5000 carinamarina/hello-world-web -Unable to find image 'carinamarina/hello-world-web:latest' locally -latest: Pulling from carinamarina/hello-world-web -efd26ecc9548: Already exists -a3ed95caeb02: Already exists -d1784d73276e: Already exists -72e581645fc3: Already exists -9709ddcc4d24: Already exists -2d600f0ec235: Already exists -c4cf94f61cbd: Already exists -c40f2ab60404: Already exists -e87185df6de7: Already exists -f2d249ff479b: Pull complete -97cb83fe7a9a: Pull complete -d7ce7c58a919: Pull complete -Digest: sha256:c31cf04b1ab6a0dac40d0c5e3e64864f4f2e0527a8ba602971dab5a977a74f20 -Status: Downloaded newer image for carinamarina/hello-world-web:latest -d7b8963401482337329faf487d5274465536eebe76f5b33c89622b92477a670f -``` - -With those two Docker containers now running, we can then get the IP address of our LXD container and access the service! - -``` -stgraber@dakara:~$ lxc list -+--------+---------+----------------------+----------------------------------------------+------------+-----------+ -| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | -+--------+---------+----------------------+----------------------------------------------+------------+-----------+ -| docker | RUNNING | 172.17.0.1 (docker0) | 2001:470:b368:4242:216:3eff:fe55:45f4 (eth0) | PERSISTENT | 0 | -| | | 10.178.150.73 (eth0) | | | | -+--------+---------+----------------------+----------------------------------------------+------------+-----------+ - -stgraber@dakara:~$ curl http://10.178.150.73 -The linked container said... "Hello World!" -``` - -### Conclusion - -That’s it! It’s really that simple to run Docker containers inside a LXD container. - -Now as I mentioned earlier, not all Docker images will behave as well as my example, that’s typically because of the extra confinement that comes with LXD, specifically the user namespace. - -Only the overlayfs storage driver of Docker works in this mode. That storage driver may come with its own set of limitation which may further limit how many images will work in this environment. - -If your workload doesn’t work properly and you trust the user inside the LXD container, you can try: - -``` -lxc config set docker security.privileged true -lxc restart docker -``` - -That will de-activate the user namespace and will run the container in privileged mode. - -Note however that in this mode, root inside the container is the same uid as root on the host. There are a number of known ways for users to escape such containers and gain root privileges on the host, so you should only ever do that if you’d trust the user inside your LXD container with root privileges on the host. - -### Extra information - -The main LXD website is at: -Development happens on Github at: -Mailing-list support happens on: -IRC support happens in: #lxcontainers on irc.freenode.net - - --------------------------------------------------------------------------------- - -via: https://www.stgraber.org/2016/04/13/lxd-2-0-docker-in-lxd-712/ - -作者:[Stéphane Graber][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: https://www.stgraber.org/author/stgraber/ -[0]: https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ -[1]: https://www.stgraber.org/2016/03/11/lxd-2-0-introduction-to-lxd-112/ -[2]: https://linuxcontainers.org/lxd/try-it/ diff --git a/translated/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md b/translated/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md new file mode 100644 index 0000000000..831332b836 --- /dev/null +++ b/translated/tech/LXD/Part 7 - LXD 2.0--Docker in LXD.md @@ -0,0 +1,148 @@ +LXD 2.0 系列(七):LXD中的Docker +====================================== + +这是 [LXD 2.0 系列介绍文章][0]的第七篇。 + +![](https://linuxcontainers.org/static/img/containers.png) + +### 为什么在LXD中运行Docker + +正如我在[系列的第一篇][1]中简要介绍的,LXD的重点是系统容器。也就是我们在容器中运行一个完全未经修改的Linux发行版。LXD的所有意图和目的不在乎容器中的负载。它只是设置容器命名空间和安全策略,然后生成/sbin/init,接着等待容器停止。 + +应用程序容器,例如由Docker或Rkt实现的应用程序容器是非常不同的,因为它们用于分发应用程序,通常在它们内部运行单个主进程,并且比LXD容器生命期更短暂。 + +这两种容器类型不是相互排斥的,我们的确看到使用Docker容器来分发应用程序的价值。这就是为什么我们在过去一年努力工作以便让LXD中运行Docker成为可能。 + +这意味着,使用Ubuntu 16.04和LXD 2.0,您可以为用户创建容器,然后可以像正常的Ubuntu系统一样连接到这些容器,然后运行Docker来安装他们想要的服务和应用程序。 + +### 要求 + +要让它正常工作要做很多事情,Ubuntu 16.04上已经包含了这些: + +- 支持CGroup命名空间的内核(4.4 Ubuntu或4.6 mainline) +- 使用LXC 2.0和LXCFS 2.0的LXD 2.0 +- 一个自定义版本的Docker(或一个用我们提交的所有补丁构建的) +- Docker镜像,当用户命名空间限制时,或者使父LXD容器成为特权容器(security.privileged = true) + +### 运行一个基础的Docker负载 + +说完这些,让我们开始运行Docker容器! + +首先你可以用下面的命令得到一个Ubuntu 16.04的容器: + +``` +lxc launch ubuntu-daily:16.04 docker -p default -p docker +``` + +“-p default -p docker”表示LXD将“default”和“docker”配置文件应用于容器。默认配置文件包含基本网络配置,而docker配置文件告诉LXD加载几个必需的内核模块并为容器设置一些挂载。 docker配置文件还允许容器嵌套。 + +现在让我们确保容器是最新的并安装docker: + +``` +lxc exec docker -- apt update +lxc exec docker -- apt dist-upgrade -y +lxc exec docker -- apt install docker.io -y +``` + +就是这样!你已经安装并运行了一个Docker容器。 +现在让我们用两个Docker容器开启一个基础的web服务: + +``` +stgraber@dakara:~$ lxc exec docker -- docker run --detach --name app carinamarina/hello-world-app +Unable to find image 'carinamarina/hello-world-app:latest' locally +latest: Pulling from carinamarina/hello-world-app +efd26ecc9548: Pull complete +a3ed95caeb02: Pull complete +d1784d73276e: Pull complete +72e581645fc3: Pull complete +9709ddcc4d24: Pull complete +2d600f0ec235: Pull complete +c4cf94f61cbd: Pull complete +c40f2ab60404: Pull complete +e87185df6de7: Pull complete +62a11c66eb65: Pull complete +4c5eea9f676d: Pull complete +498df6a0d074: Pull complete +Digest: sha256:6a159db50cb9c0fbe127fb038ed5a33bb5a443fcdd925ec74bf578142718f516 +Status: Downloaded newer image for carinamarina/hello-world-app:latest +c8318f0401fb1e119e6c5bb23d1e706e8ca080f8e44b42613856ccd0bf8bfb0d + +stgraber@dakara:~$ lxc exec docker -- docker run --detach --name web --link app:helloapp -p 80:5000 carinamarina/hello-world-web +Unable to find image 'carinamarina/hello-world-web:latest' locally +latest: Pulling from carinamarina/hello-world-web +efd26ecc9548: Already exists +a3ed95caeb02: Already exists +d1784d73276e: Already exists +72e581645fc3: Already exists +9709ddcc4d24: Already exists +2d600f0ec235: Already exists +c4cf94f61cbd: Already exists +c40f2ab60404: Already exists +e87185df6de7: Already exists +f2d249ff479b: Pull complete +97cb83fe7a9a: Pull complete +d7ce7c58a919: Pull complete +Digest: sha256:c31cf04b1ab6a0dac40d0c5e3e64864f4f2e0527a8ba602971dab5a977a74f20 +Status: Downloaded newer image for carinamarina/hello-world-web:latest +d7b8963401482337329faf487d5274465536eebe76f5b33c89622b92477a670f +``` + +现在这两个Docker容器已经运行了,我们可以得到LXD容器的IP地址,并且访问它的服务了! + +``` +stgraber@dakara:~$ lxc list ++--------+---------+----------------------+----------------------------------------------+------------+-----------+ +| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | ++--------+---------+----------------------+----------------------------------------------+------------+-----------+ +| docker | RUNNING | 172.17.0.1 (docker0) | 2001:470:b368:4242:216:3eff:fe55:45f4 (eth0) | PERSISTENT | 0 | +| | | 10.178.150.73 (eth0) | | | | ++--------+---------+----------------------+----------------------------------------------+------------+-----------+ + +stgraber@dakara:~$ curl http://10.178.150.73 +The linked container said... "Hello World!" +``` + +### 总结 + +就是这样了!在LXD容器中运行Docker容器真的很简单。 + +现在正如我前面提到的,并不是所有的Docker镜像都会像我的示例一样,这通常是因为LXD提供了额外的限制,特别是用户命名空间。 + +只有Docker的overlayfs存储驱动在这种模式下工作。该存储驱动有一组自己的限制,这可以进一步限制在该环境中可以有多少镜像工作。 + +如果您的负载无法正常工作,并且您信任LXD容器中的用户,你可以试下: + +``` +lxc config set docker security.privileged true +lxc restart docker +``` + +这将取消激活用户命名空间,并以特权模式运行容器。 + +但是请注意,在这种模式下,容器内的root与主机上的root是相同的uid。现在有许多已知的方法让用户脱离容器,并获得主机上的root权限,所以你应该只有在信任你的LXD容器中的用户可以具有主机上的root权限才这样做。 + +### 额外信息 + +LXD 的主站在: + +LXD 的 GitHub 仓库: + +LXD 的邮件列表: + +LXD 的 IRC 频道: #lxcontainers on irc.freenode.net + + +-------------------------------------------------------------------------------- + +via: https://www.stgraber.org/2016/04/13/lxd-2-0-docker-in-lxd-712/ + +作者:[Stéphane Graber][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://www.stgraber.org/author/stgraber/ +[0]: https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ +[1]: https://www.stgraber.org/2016/03/11/lxd-2-0-introduction-to-lxd-112/ +[2]: https://linuxcontainers.org/lxd/try-it/ From cb17fc1ff28b76c7340d45c3f26cd134d66f1629 Mon Sep 17 00:00:00 2001 From: geekpi Date: Wed, 28 Dec 2016 10:23:57 +0800 Subject: [PATCH 029/181] translating --- sources/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md b/sources/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md index a32811643e..c703c061a4 100644 --- a/sources/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md +++ b/sources/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md @@ -1,3 +1,5 @@ +translating----geekpi + Part 8 - LXD 2.0: LXD in LXD ============================== From f5bbd097d0c30d808207520f0e50324fb4fb96d0 Mon Sep 17 00:00:00 2001 From: WangYihang Date: Wed, 28 Dec 2016 10:35:27 +0800 Subject: [PATCH 030/181] =?UTF-8?q?=E7=BF=BB=E8=AF=91=E5=AE=8C=E6=88=90[By?= =?UTF-8?q?=20:=20WangYihang]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...o Build an Email Server on Ubuntu Linux.md | 124 ----------------- ...o Build an Email Server on Ubuntu Linux.md | 130 ++++++++++++++++++ 2 files changed, 130 insertions(+), 124 deletions(-) delete mode 100644 sources/tech/20161201 How to Build an Email Server on Ubuntu Linux.md create mode 100644 translated/tech/20161201 How to Build an Email Server on Ubuntu Linux.md diff --git a/sources/tech/20161201 How to Build an Email Server on Ubuntu Linux.md b/sources/tech/20161201 How to Build an Email Server on Ubuntu Linux.md deleted file mode 100644 index f46891b365..0000000000 --- a/sources/tech/20161201 How to Build an Email Server on Ubuntu Linux.md +++ /dev/null @@ -1,124 +0,0 @@ -translating by dongdongmian -translating by WangYihang - -How to Build an Email Server on Ubuntu Linux -============================================================ - - ![mail server](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/mail-stack.jpg?itok=SVMfa8WZ "mail server") -In this series, we will show how to build a reliable configurable mail server with Postfix, Dovecot, and OpenSSL on Ubuntu Linux.[Creative Commons Zero][2]Pixabay - -In this fast-changing world of containers and microservices it's comforting that some things don't change, such as setting up a Linux email server. It's still a dance of many steps and knitting together several different servers, and once you put it all together it just sits there, all nice and stable, instead of winking in and out of existence like microservices. In this series, we'll put together a nice reliable configurable mail server with Postfix, Dovecot, and OpenSSL on Ubuntu Linux. - -Postfix is a reliable old standby that is easier to configure and use than Sendmail, the original Unix MTA (does anyone still use Sendmail?). Exim is Debian's default MTA; it is more lightweight than Postfix and super-configurable, so we'll look at Exim in a future tutorial. - -Dovecot and Courier are two popular and excellent IMAP/POP3 servers. Dovecot is more lightweight and easier to configure. - -You must secure your email sessions, so we'll use OpenSSL. OpenSSL also supplies some nice tools for testing your mail server. - -For simplicity, we'll set up a LAN mail server in this series. You should have LAN name services already enabled and working; see [Dnsmasq For Easy LAN Name Services][5] for some pointers. Then later, you can adapt a LAN server to an Internet-accessible server by registering your domain name and configuring your firewall accordingly. These are documented everywhere, so please do your homework and be careful. - -### Terminology - -Let's take a quick look at some terminology, because it is nice when we know what the heck we're talking about. - -* **MTA**: Mail transfer agent, a simple mail transfer protocol (SMTP) server such as Postfix, Exim, and Sendmail. SMTP servers talk to each other -* **MUA**: Mail user agent, your local mail client such as Evolution, KMail, Claws Mail, or Thunderbird. -* **POP3**: Post-office protocol, the simplest protocol for moving messages from an SMTP server to your mail client. A POP server is simple and lightweight; you can serve thousands of users from a single box. -* **IMAP**: Interactive message access protocol. Most businesses use IMAP because messages remain on the server, so users don't have to worry about losing them. IMAP servers require a lot of memory and storage. -* **TLS**: Transport socket layer, an evolution of SSL (secure sockets layer), which provides encrypted transport for SASL-authenticated logins. -* **SASL**: Simple authentication and security layer, for authenticating users. SASL does the authenticating, then TLS provides the encrypted transport of the authentication data. -* **StartTLS**: Also known as opportunistic TLS. StartTLS upgrades your plain text authentication to encrypted authentication if both servers support SSL/TLS. If one of them doesn't then it remains in cleartext. StartTLS uses the standard unencrypted ports: 25 (SMTP), 110 (POP3), and 143 (IMAP) instead of the standard encrypted ports: 465 (SMTP), 995 (POP3), and 993 (IMAP). - -### Yes, We Still Have Sendmail - -Most Linuxes still have `/usr/sbin/sendmail`. This is a holdover from the very olden days when Sendmail was the only MTA. On most distros `/usr/sbin/sendmail` is symlinked to your installed MTA. However your distro handles it, if it's there, it's on purpose. - -### Install Postfix - -`apt-get install postfix` takes care of the basic Postfix installation (Figure 1). This opens a wizard that asks what kind of server you want. Select "Internet Site", even for a LAN server. It will ask for your fully qualified server domain name (e.g., myserver.mydomain.net). On a LAN server, assuming your name services are correctly configured (I keep mentioning this because people keep getting it wrong), you can use just the hostname (e.g., myserver). - - ![Postfix](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/postfix-1.png?itok=NJLdtICb "Postfix") - -Figure 1: Postfix configuration.[Creative Commons Zero][1]Carla Schroder - -Ubuntu will create a configuration file and launch three Postfix daemons: `master, qmgr`, and `pickup`. There is no Postfix command or daemon. - -``` -$ ps ax - 6494 ? Ss 0:00 /usr/lib/postfix/master - 6497 ? S 0:00 pickup -l -t unix -u -c - 6498 ? S 0:00 qmgr -l -t unix -u -``` - -Use Postfix's built-in syntax checker to test your configuration files. If it finds no syntax errors, it reports nothing: - -``` -$ sudo postfix check -[sudo] password for carla: -``` - -Use `netstat` to verify that Postfix is listening on port 25: - -``` -$ netstat -ant -tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -tcp6 0 0 :::25 :::* LISTEN -``` - -Now let's fire up trusty old `telnet` to test: - -``` -$ telnet myserver 25 -Trying 127.0.1.1... -Connected to myserver. -Escape character is '^]'. -220 myserver ESMTP Postfix (Ubuntu) -**EHLO myserver** -250-myserver -250-PIPELINING -250-SIZE 10240000 -250-VRFY -250-ETRN -250-STARTTLS -250-ENHANCEDSTATUSCODES -250-8BITMIME -250 DSN -**^]** - -telnet> -``` - -Hurrah! We have verified the server name, and that Postfix is listening and responding to requests on port 25, the SMTP port. - -Type `quit` to exit `telnet`. In the example, the commands that you type to interact with your server are in bold. The output are ESMTP (extended SMTP) 250 status codes. - -* PIPELINING allows multiple commands to flow without having to respond to each one. -* SIZE tells the maximum message size that the server accepts. -* VRFY can tell a client if a particular mailbox exists. This is often ignored as it could be a security hole. -* ETRN is for sites with irregular Internet connectivity. Such a site can use ETRN to request mail delivery from an upstream server, and Postfix can be configured to defer mail delivery to ETRN clients. -* STARTTLS (see above). -* ENHANCEDSTATUSCODES, the server supports enhanced status and error codes. -* 8BITMIME, supports 8-bit MIME, which means the full ASCII character set. Once upon a time the original ASCII was 7 bits. -* DSN, delivery status notifiction, informs you of delivery errors. - -The main Postfix configuration file is `/etc/postfix/main.cf`. This is created by the installer. See [Postfix Configuration Parameters][6] for a complete listing of `main.cf` parameters. `/etc/postfix/postfix-files` describes the complete Postfix installation. - -Come back next week for installing and testing Dovecot, and sending ourselves some messages. - --------------------------------------------------------------------------------- - -via: https://www.linux.com/learn/how-build-email-server-ubuntu-linux - -作者:[CARLA SCHRODER][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.linux.com/users/cschroder -[1]:https://www.linux.com/licenses/category/creative-commons-zero -[2]:https://www.linux.com/licenses/category/creative-commons-zero -[3]:https://www.linux.com/files/images/postfix-1png -[4]:https://www.linux.com/files/images/mail-stackjpg -[5]:https://www.linux.com/learn/dnsmasq-easy-lan-name-services -[6]:http://www.postfix.org/postconf.5.html diff --git a/translated/tech/20161201 How to Build an Email Server on Ubuntu Linux.md b/translated/tech/20161201 How to Build an Email Server on Ubuntu Linux.md new file mode 100644 index 0000000000..91f480b7b1 --- /dev/null +++ b/translated/tech/20161201 How to Build an Email Server on Ubuntu Linux.md @@ -0,0 +1,130 @@ +如何在Ubuntu环境下搭建邮件服务器 +============================================================ + + ![mail server](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/mail-stack.jpg?itok=SVMfa8WZ "mail server") +在这个系列的文章中,我们将通过使用Postfix,Dovecot,和openssl这三款工具来为你展示如何在ubuntu系统上搭建一个既可靠又很容易配置的邮件服务器。[Creative Commons Zero][2]Pixabay + +在这个容器和宏服务技术日新月异的时代,值得庆幸的是有些事情并没有改变,例如搭建一个Linux下的邮件服务器, It's still a dance of many steps and knitting together several different servers, 一旦你将这些步骤组合在一起,一切都是那么和谐稳定, instead of winking in and out of existence like microservices. 在这一系列的教程中,我们将在ubuntu系统上构建一个既可靠又容易配置的邮件服务器通过使用Postfix, Dovecot, 和OpenSSL这三款工具。 + +Postfix是一个古老又可靠的软件,它比sendmail更加容易配置和使用,原始的Unix系统的MTA软件(还有人仍然在用sendmail吗?). Exim是一个在Debain系统上的默认的MTA软件,它比postfix更加轻量而且超级容易配置,因此我们在将来的教程中会推出Exim的教程。 +(翻译者注 : MTA : 将来自MUA的信件转发给指定的用户的程序一般被称之为因特网邮件传送代理MTA(Mail Transfer Agent , 详情请阅读[维基百科](https://en.wikipedia.org/wiki/Message_transfer_agent))。在linux/Unix系统上,最著名的MTA有sendamil、qmail等程序。)。 + + +Dovecot(译者注 : 详情请阅读[维基百科](https://en.wikipedia.org/wiki/Dovecot_(software)))和Courier是两个非常受欢迎的优秀的IMAP/POP3协议的服务器软件,Dovecot更加的轻量并且更加容易配置。 + +你必须要保证你的邮件是安全的,因此我们就需要使用到OpenSSL这个软件,OPENSSL也支持一些很好用的工具来测试你的邮件服务器。 + +为了简单起见,在这一系列的教程中,我们将指导大家安装一个在公网上的邮件服务器,你应该拥有一个公网的网络而且需要确保它是开启的而且正在正常工作,[查看如何获取一个公网服务器的教程请点击这里],然后,你就可以注册你的域名,将你的域名解析到你的公网服务器的IP,并为你的服务器配置相应的防火墙,这个过程网上已经有很多很详细的教程了,这里不再赘述,请大家认真完成这个作业。 + +### 一些术语 + +让我们先来快速了解一些术语,因为当我们了解了这些术语的时候就能知道这些见鬼的东西到底是什么。 :D + +> * **MTA**: Mail transfer agent(邮件转发代理) 基于SMTP协议(简单邮件传输协议)的服务端, 就像Postfix,Exim,Sendmail ,SMTP服务端在这些工具之间进行相互通信。 +* **MUA**: Mail user agent(邮件用户代理)你本地的邮件客户端,例如 : Evolution, KMail, Claws Mail, 或者 Thunderbird(译者注 : 例如国内的foxmail)。 +* **POP3**: Post-office protocol, the simplest(邮局协议版本3) POP3协议,这个简单的协议是为了从SMTP服务器中获取邮件并提供给你本地的邮件客户端,一个POP服务端是非常简单而且很小巧的,你可以为数以千计的用户提供服务(From a single box?)。 +* **IMAP**: Interactive message access protocol IMAP协议(邮件访问协议),许多企业使用这个协议因为邮件可以被保存在服务器上,所以用户不必担心会丢失消息,IMAP服务器需要大量的内存和存储空间。 +* **TLS**: Transport socket layer(安全传输层协议),一个SSL(Secure Sockets Layer 安全套接层)的改良版,为身份认证提供了加密的传输服务。 +* **SASL**: Simple authentication(简单验证安全层) and security layer 简单身份认证与安全层 ,为需要加密身份认证的用户服务,SASL进行身份认证,而上面说的TLS保证数据进行加密传输。 +* **StartTLS**: 一个像TLS一样众所周知的协议 它提供一种方式将纯文本连接升级为加密连接(TLS或SSL)。 + 只有通信的双方都支持SSL/TLS的时候才会进行加密,如果一方不支持加密,则使用明文传输).StartTLS会使用标准的端口 25 (SMTP), 110 (POP3), and 143 (IMAP) 来进行明文通信以代替对应端口的加密通信465 (SMTP), 995 (POP3), and 993 (IMAP) + +### 是的 , 我们仍然在使用snedmail这个工具 + + 绝大多数的Linux版本仍然还保留着 `/usr/sbin/sendmail` . 在大多数的Linux发行版中,`/usr/sbin/sendmail` 会创建一个符号链接到你已经安装的MTA软件,然而很多版本的Linux依然还保留着`/usr/sbin/sendmail`,这也是故意这样做的。 + +### 如何安装postfix + +`apt-get install postfix` +你可以直接使用apt-get来安装,在你安装postfix你要特别小心,安装程序会打开一个向导,这个向导会询问你想到搭建的服务器类型,你要选择"Internet Server",为你的公网服务器,假设你的域名服务已经正确配置,(我这么多次提到这个是因为经常有人在这里出现错误),你可以使用你的hostname 。 + + + + ![Postfix](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/postfix-1.png?itok=NJLdtICb "Postfix") + +图 1: `Postfix` 的配置。[Creative Commons Zero][1]Carla Schroder + +ubuntu系统会为postfix创建一个配置文件启动三个守护进程 : `master, qmgr`, and `pickup`,There is no Postfix command or daemon. + +``` +$ ps ax + 6494 ? Ss 0:00 /usr/lib/postfix/master + 6497 ? S 0:00 pickup -l -t unix -u -c + 6498 ? S 0:00 qmgr -l -t unix -u +``` + +你可以使用postfix对你的配置文件的语法进行检查,如果你的配置文件是没有语法错误的,那么就不会有相应的输出。 + +``` +$ sudo postfix check +[sudo] password for carla: +``` + +可以使用 `netstat` 来验证 `postfix` 是否正在监听25端口。 + +``` +$ netstat -ant +tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN +tcp6 0 0 :::25 :::* LISTEN +``` + +现在让我们再来让古老的 `telnet` 躁起来进行测试 : + +``` +$ telnet myserver 25 +Trying 127.0.1.1... +Connected to myserver. +Escape character is '^]'. +220 myserver ESMTP Postfix (Ubuntu) +**EHLO myserver** +250-myserver +250-PIPELINING +250-SIZE 10240000 +250-VRFY +250-ETRN +250-STARTTLS +250-ENHANCEDSTATUSCODES +250-8BITMIME +250 DSN +**^]** + +telnet> +``` + +嘿,我们已经验证了我们的服务器名,而且postfix正在监听25端口而且正常响应了我们键入的命令。 + + +输入quit来退出telnet,例如 : 你刚才键入你服务器的交互环境的那些命令是粗体显示的,输出的信息是ESMTP协议的状态码。 +(译者注 : ESMTP (Extended SMTP),是扩展 SMTP 就是对标准 SMTP 协议进行的扩展. 详情请阅读[维基百科](https://en.wikipedia.org/wiki/Extended_SMTP)) + +> * PIPELINING 允许多个命令同时执行,而不必对每个命令作出响应。 +* SIZE tells 表示服务器可接收的最大消息大小。 +* VRFY 可以告诉客户端某一个特定的邮箱地址是否存在,这通常被忽略 ,因为有可能会是一个安全漏洞。 +* ETRN 适用于具有不规则(不规则的)互联网连接(连接,连通性)的站点。这样的站点可以使用ETRN从上游服务器请求邮件传递(交付),并且Postfix可以配置为将推送(推送)邮件传递到ETRN客户端。 +* STARTTLS (详情见上述说明)。 +* ENHANCEDSTATUSCODES, 增强型的状态码和错误码。 +* 8BITMIME, 支持8位MIME,这意味着完整的ASCII字符集。一次一次,原始的ASCII是7位。 +* DSN, 传输状态通知,通知你传输时的错误。 + +postfix的主配置文件是 : `/etc/postfix/main.cf`,这个文件是安装程序创建的,可以查看这个资料 : 来查看这个配置文件的列表, `/etc/postfix/postfix-files`这个文件描述了postfix完整的安装过程 + +下周的教程我们会讲解Dovecot的安装和测试,然后会给我们自己发送一些邮件。 + +-------------------------------------------------------------------------------- + +via: https://www.linux.com/learn/how-build-email-server-ubuntu-linux + +作者:[CARLA SCHRODER][a] +译者:[WangYihang](https://github.com/WangYihang) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linux.com/users/cschroder +[1]:https://www.linux.com/licenses/category/creative-commons-zero +[2]:https://www.linux.com/licenses/category/creative-commons-zero +[3]:https://www.linux.com/files/images/postfix-1png +[4]:https://www.linux.com/files/images/mail-stackjpg +[5]:https://www.linux.com/learn/dnsmasq-easy-lan-name-services +[6]:http://www.postfix.org/postconf.5.html + From 1d4103caf1929ed7134380d9206318d066e28947 Mon Sep 17 00:00:00 2001 From: geekpi Date: Wed, 28 Dec 2016 10:51:28 +0800 Subject: [PATCH 031/181] translated --- .../tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md | 61 ++++++++++--------- 1 file changed, 31 insertions(+), 30 deletions(-) rename {sources => translated}/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md (51%) diff --git a/sources/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md b/translated/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md similarity index 51% rename from sources/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md rename to translated/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md index c703c061a4..82a25368a8 100644 --- a/sources/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md +++ b/translated/tech/LXD/Part 8 - LXD 2.0--LXD in LXD.md @@ -1,43 +1,41 @@ -translating----geekpi +LXD 2.0 系列(八):LXD中的LXD +====================================== -Part 8 - LXD 2.0: LXD in LXD -============================== - -This is the eighth blog post [in this series about LXD 2.0][0]. +这是 [LXD 2.0 系列介绍文章][0]的第八篇。 ![](https://linuxcontainers.org/static/img/containers.png) -### Introduction +### 介绍 -In the previous post I covered how to run [Docker inside LXD][1] which is a good way to get access to the portfolio of application provided by Docker while running in the safety of the LXD environment. +在上一篇文章中,我介绍了如何运行[LXD中的Docker][1],这是一个很好的方式来访问由Docker提供的应用程序组合,同时Docker还运行在LXD提供的安全环境中。 -One use case I mentioned was offering a LXD container to your users and then have them use their container to run Docker. Well, what if they themselves want to run other Linux distributions inside their container using LXD, or even allow another group of people to have access to a Linux system by running a container for them? +我提到的一个情况是为你的用户提供一个LXD容器,然后让他们使用他们的容器来运行Docker。那么,如果他们自己想使用LXD在其容器中运行其他Linux发行版,或者甚至运行容器允许另一组人来访问Linux系统? -Turns out, LXD makes it very simple to allow your users to run nested containers. +原来LXD使得用户运行嵌套容器变得非常简单。 -### Nesting LXD +### 嵌套LXD -The most simple case can be shown by using an Ubuntu 16.04 image. Ubuntu 16.04 cloud images come with LXD pre-installed. The daemon itself isn’t running as it’s socket-activated so it doesn’t use any resources until you actually talk to it. +最简单的情况可以使用Ubuntu 16.04镜像来展示。 Ubuntu 16.04云镜像预装了LXD。守护进程本身没有运行,因为它是套接字激活的,所以它不使用任何资源,直到你真正使用它。 -So lets start an Ubuntu 16.04 container with nesting enabled: +让我们启动一个启用了嵌套的Ubuntu 16.04容器: ``` lxc launch ubuntu-daily:16.04 c1 -c security.nesting=true ``` -You can also set the security.nesting key on an existing container with: +你也可以在一个存在的容器上设置security.nesting: ``` lxc config set security.nesting true ``` -Or for all containers using a particular profile with: +或者对所有的容器使用一个配置文件: ``` lxc profile set security.nesting true ``` -With that container started, you can now get a shell inside it, configure LXD and spawn a container: +容器启动后,你可以从容器内部得到一个shell,配置LXD并生成一个容器: ``` stgraber@dakara:~$ lxc launch ubuntu-daily:16.04 c1 -c security.nesting=true @@ -81,34 +79,37 @@ root@c1:~# lxc list root@c1:~# ``` -It really is that simple! +就是这样简单 -### The online demo server +### 在线演示服务器 -As this post is pretty short, I figured I would spend a bit of time to talk about the [demo server][2] we’re running. We also just reached the 10000 sessions mark earlier today! +因为这篇文章很短,我想我会花一点时间谈论我们运行中的[演示服务器][2]。我们今天早些时候刚刚达到了10000个会话! -That server is basically just a normal LXD running inside a pretty beefy virtual machine with a tiny daemon implementing the REST API used by our website. +这个服务器基本上只是一个运行在一个相当强大的虚拟机上的正常的LXD,一个小型的守护进程实现我们的网站使用的REST API。 -When you accept the terms of service, a new LXD container is created for you with security.nesting enabled as we saw above. You are then attached to that container as you would when using “lxc exec” except that we’re doing it using websockets and javascript. +当你接受服务条款时,将为你创建一个新的LXD容器,并启用security.nesting,如上所述,接着你就像使用“lxc exec”时一样连接到了那个容器,除了我们使用websockets和javascript来做这些。 -The containers you then create inside this environment are all nested LXD containers. -You can then nest even further in there if you want to. +你在此环境中创建的容器都是嵌套的LXD容器。 +如果你想,你可以进一步地嵌套。 -We are using the whole range of [LXD resource limitations][3] to prevent one user’s actions from impacting the others and pretty closely monitor the server for any sign of abuse. +我们全范围地使用了[LXD资源限制][3],以防止一个用户的行为影响其他用户,并仔细监控服务器的任何滥用迹象。 -If you want to run your own similar server, you can grab the code for our website and the daemon with: +如果你想运行自己的类似的服务器,你可以获取我们的网站和守护进程的代码: ``` git clone https://github.com/lxc/linuxcontainers.org git clone https://github.com/lxc/lxd-demo-server ``` -### Extra information +### 额外信息 -The main LXD website is at: -Development happens on Github at: -Mailing-list support happens on: -IRC support happens in: #lxcontainers on irc.freenode.net +LXD 的主站在: + +LXD 的 GitHub 仓库: + +LXD 的邮件列表: + +LXD 的 IRC 频道: #lxcontainers on irc.freenode.net -------------------------------------------------------------------------------- @@ -116,7 +117,7 @@ IRC support happens in: #lxcontainers on irc.freenode.net via: https://www.stgraber.org/2016/04/14/lxd-2-0-lxd-in-lxd-812/ 作者:[Stéphane Graber][a] -译者:[译者ID](https://github.com/译者ID) +译者:[geekpi](https://github.com/geekpi) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 From 096b679d6913da9dc20f2da1bf200e869d149d29 Mon Sep 17 00:00:00 2001 From: geekpi Date: Wed, 28 Dec 2016 10:54:11 +0800 Subject: [PATCH 032/181] translating --- sources/tech/LXD/Part 9 - LXD 2.0--Live migration.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/LXD/Part 9 - LXD 2.0--Live migration.md b/sources/tech/LXD/Part 9 - LXD 2.0--Live migration.md index d49c85e85d..07e7729157 100644 --- a/sources/tech/LXD/Part 9 - LXD 2.0--Live migration.md +++ b/sources/tech/LXD/Part 9 - LXD 2.0--Live migration.md @@ -1,3 +1,5 @@ +translating----geekpi + Part 9 - LXD 2.0: Live migration ================================= From 698fc8f2717c43b0a171a9bc9690ae5a1bf8a5bd Mon Sep 17 00:00:00 2001 From: wxy Date: Wed, 28 Dec 2016 11:18:06 +0800 Subject: [PATCH 033/181] =?UTF-8?q?PROOF:20161124=20How=20to=20Manage=20Sa?= =?UTF-8?q?mba4=20AD=20Infrastructure=20from=20Linux=20Command=20Line=20?= =?UTF-8?q?=E2=80=93=20Part=202?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @rusking --- ...ucture from Linux Command Line – Part 2.md | 178 ++++++++++-------- 1 file changed, 96 insertions(+), 82 deletions(-) diff --git a/translated/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md b/translated/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md index 211852dc84..9cfde92c11 100644 --- a/translated/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md +++ b/translated/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md @@ -1,35 +1,36 @@ -How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2 +在 Linux 命令行下管理 Samba4 AD 架构(二) ============================================================ -在 Linux 命令行下管理 Samba4 AD 架构 —— 第 2 节 -这篇文章包括你管理 Samba4 域控制器架构过程中的[一些常用命令][2],比如添加,移除,禁用或者列出用户及用户组等。 +这篇文章包括了管理 Samba4 域控制器架构过程中的一些常用命令,比如添加、移除、禁用或者列出用户及用户组等。 我们也会关注一下如何配置域安全策略以及如何把 AD 用户绑定到本地的 PAM 认证中,以实现 AD 用户能够在 Linux 域控制器上进行本地登录。 #### 要求 -1. [在 Ubuntu 16.04系统上,使用 Samba4 创建一个 AD 架构环境 —— 第一节][1] +- [在 Ubuntu 系统上使用 Samba4 来创建活动目录架构][1] ### 第一步:在命令行下管理 -1. 可以通过 samba-tool 命令工具来进行管理,这个工具为域管理工作提供了一个功能强大的管理接口。 +1、 可以通过 `samba-tool` 命令行工具来进行管理,这个工具为域管理工作提供了一个功能强大的管理接口。 -通过 samba-tool 命令行接口,你可以直接管理域用户及用户组,域组策略,域站点,DNS 服务,域复制关系和其它重要的域功能。 +通过 `samba-tool` 命令行接口,你可以直接管理域用户及用户组、域组策略、域站点,DNS 服务、域复制关系和其它重要的域功能。 -使用 root 权限的账号,直接输入 samba-tool 命令,不要加任何参数选项来查看该工具能实现的所有功能。 +使用 root 权限的账号,直接输入 `samba-tool` 命令,不要加任何参数选项来查看该工具能实现的所有功能。 ``` # samba-tool -h -``` +``` + [ ![samba-tool - Manage Samba Administration Tool](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Administration-Tool.png) ][3] -samba-tool —— Samba 管理工具 +*samba-tool —— Samba 管理工具* -2. 现在,咱们开始使用 samba-tool 工具来管理 Samba4 活动目录中的用户。 +2、 现在,让我们开始使用 `samba-tool` 工具来管理 Samba4 活动目录中的用户。 + +使用如下命令来创建 AD 用户: -使用如下命令来创建 AD 用户: ``` # samba-tool user add your_domain_user ``` @@ -40,64 +41,66 @@ samba-tool —— Samba 管理工具 --------- review all options --------- # samba-tool user add -h # samba-tool user add your_domain_user --given-name=your_name --surname=your_username --mail-address=your_domain_user@tecmint.lan --login-shell=/bin/bash -``` +``` + [ ![Create User on Samba AD](http://www.tecmint.com/wp-content/uploads/2016/11/Create-User-on-Samba-AD.png) ][4] -在 Samba AD 上创建用户 +*在 Samba AD 上创建用户* -3. 可以通过下面的命令来列出所有 Samba AD 域用户: +3、 可以通过下面的命令来列出所有 Samba AD 域用户: ``` # samba-tool user list -``` +``` + [ ![List Samba AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-AD-Users.png) ][5] -列出 Samba AD 用户信息 +*列出 Samba AD 用户信息* -4. 使用下面的命令来删除 sambas AD 域用户: +4、 使用下面的命令来删除 Samba AD 域用户: ``` # samba-tool user delete your_domain_user ``` -5. 重置 Samba 域用户的密码: +5、 重置 Samba 域用户的密码: ``` # samba-tool user setpassword your_domain_user ``` -6. 启用或禁用 Samba 域用户账号 +6、 启用或禁用 Samba 域用户账号: ``` # samba-tool user disable your_domain_user # samba-tool user enable your_domain_user ``` -7. 同样地,可以使用下面的方法来管理 samba 用户组: -8.  +7、 同样地,可以使用下面的方法来管理 Samba 用户组: + ``` --------- review all options --------- # samba-tool group add –h # samba-tool group add your_domain_group ``` -8. 删除 samba 域用户组: +8、 删除 samba 域用户组: ``` # samba-tool group delete your_domain_group ``` -9. 显示所有的 samba 域用户组信息: -10.  +9、 显示所有的 Samba 域用户组信息: +  ``` # samba-tool group list ``` -10. 列出指定组下的 samba 域用户: +10、 列出指定组下的 Samba 域用户: ``` # samba-tool group listmembers "your_domain group" @@ -106,16 +109,16 @@ samba-tool —— Samba 管理工具 ![List Samba Domain Members of Group](http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-Domain-Members-of-Group.png) ][6] -列出 Samba 域用户组 +*列出 Samba 域用户组* -11. 从 samba 域组中添加或删除某一用户: +11、 从 Samba 域组中添加或删除某一用户: ``` # samba-tool group addmembers your_domain_group your_domain_user # samba-tool group remove members your_domain_group your_domain_user ``` -12. 如上面所提到的, samba-tool 命令行工具也可以用于管理 samba 域策略及安全。 +12、 如上面所提到的, `samba-tool` 命令行工具也可以用于管理 Samba 域策略及安全。 查看 samba 域密码设置: @@ -126,28 +129,30 @@ samba-tool —— Samba 管理工具 ![Check Samba Domain Password](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Domain-Password.png) ][7] -检查 Samba 域密码 +*检查 Samba 域密码* + +13、 为了修改 samba 域密码策略,比如密码复杂度,密码失效时长,密码长度,密码重复次数以及其它域控制器要求的安全策略等,可参照如下命令来完成: -13. 为了修改 samba 域密码策略,比如密码复杂度,密码失效时长,密码长度,密码重复次数以及其它域控制器要求的安全策略等,可参照如下命令来完成: ``` ---------- List all command options ---------- # samba-tool domain passwordsettings -h -``` +``` + [ ![Manage Samba Domain Password Settings](http://www.tecmint.com/wp-content/uploads/2016/11/Manage-Samba-Domain-Password-Settings.png) ][8] -管理 Samba 域密码策略 +*管理 Samba 域密码策略* 不要把上图中的密码策略规则用于生产环境中。上面的策略仅仅是用于演示目的。 -### 第二步:使用活动目录账号来完成 Samba 本地认证。 +### 第二步:使用活动目录账号来完成 Samba 本地认证 -14. 默认情况下,离开 Samba AD DC 环境,AD 用户不能从本地登录到 Linux 系统。 +14、 默认情况下,离开 Samba AD DC 环境,AD 用户不能从本地登录到 Linux 系统。 为了让活动目录账号也能登录到系统,你必须在 Linux 系统环境中做如下设置,并且要修改 Samba4 AD DC 配置。 -首先,打开 Samba 主配置文件,如果以下内容下存在,则添加: +首先,打开 Samba 主配置文件,如果以下内容不存在,则添加: ``` $ sudo nano /etc/samba/smb.conf @@ -158,39 +163,42 @@ $ sudo nano /etc/samba/smb.conf ``` winbind enum users = yes winbind enum groups = yes -``` +``` + [ ![Samba Authentication Using Active Directory User Accounts](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Authentication-Using-Active-Directory-Accounts.png) ][9] -Samba 通过活动目录用户账号来进行认证 +*Samba 通过 AD 用户账号来进行认证* -15. 修改之后,使用 testparm 工具来验证配置文件没有错误,然后通过如下命令来重启 samba 服务: +15、 修改之后,使用 `testparm` 工具来验证配置文件没有错误,然后通过如下命令来重启 Samba 服务: ``` $ testparm $ sudo systemctl restart samba-ad-dc.service -``` +``` + [ ![Check Samba Configuration for Errors](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Configuration-for-Errors.png) ][10] -检查 Samba 配置文件是否报错 +*检查 Samba 配置文件是否报错* -16. 下一步,我们需要修改本地 PAM 配置文件,以让 Samba4 活动目录账号能够完成本地认证,开启会话,并且在第一次登录系统时创建一个用户目录。 +16、 下一步,我们需要修改本地 PAM 配置文件,以让 Samba4 活动目录账号能够完成本地认证、开启会话,并且在第一次登录系统时创建一个用户目录。 -使用 pam-auth-update 命令来打开 PAM 配置提示界面,确保所有的 PAM 选项都已经使用 `[space]` 键来启用,如下图所示: +使用 `pam-auth-update` 命令来打开 PAM 配置提示界面,确保所有的 PAM 选项都已经使用 `[空格]` 键来启用,如下图所示: -完成之后,按 `[Tab]` 键跳转到 OK ,以应用修改。 +完成之后,按 `[Tab]` 键跳转到 OK ,以启用修改。 ``` $ sudo pam-auth-update -``` +``` + [ ![Configure PAM for Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/11/PAM-Configuration-for-Samba4-AD.png) ][11] -为 Samba4 AD 配置 PAM 认证 +*为 Samba4 AD 配置 PAM 认证* [ ![Enable PAM Authentication Module for Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/Enable-PAM-Authentication-Module-for-Samba4-AD.png) @@ -198,7 +206,7 @@ $ sudo pam-auth-update 为 Samba4 AD 用户启用 PAM认证模块 -17. 现在,使用文本编辑器打开 /etc/nsswitch.conf 配置文件,在 passwd 和 group 参数的最后面添加 winbind参数如下图所示: +17、 现在,使用文本编辑器打开 `/etc/nsswitch.conf` 配置文件,在 `passwd` 和 `group` 参数的最后面添加 `winbind` 参数,如下图所示: ``` $ sudo vi /etc/nsswitch.conf @@ -207,11 +215,11 @@ $ sudo vi /etc/nsswitch.conf ![Add Windbind Service Switch for Samba](http://www.tecmint.com/wp-content/uploads/2016/11/Add-Windbind-Service-Switch-for-Samba.png) ][13] -为 Samba 服务添加 Winbind Service Switch 设置 +*为 Samba 服务添加 Winbind Service Switch 设置* -18. 最后,编辑 /etc/pam.d/common-password 文件,查找下图所示行并删除 user_authtok 参数。 +18、 最后,编辑 `/etc/pam.d/common-password` 文件,查找下图所示行并删除 `user_authtok` 参数。 -该设置确保活动目录用户在通过 Linux 系统本地认证后,可以在命令行下修改他们的密码。加上这个参数之后, 本地认证的 AD 用户在控制台下不能修改他们的密码。 +该设置确保 AD 用户在通过 Linux 系统本地认证后,可以在命令行下修改他们的密码。有这个参数时,本地认证的 AD 用户不能在控制台下修改他们的密码。 ``` password [success=1 default=ignore] pam_winbind.so try_first_pass @@ -220,11 +228,11 @@ password [success=1 default=ignore] pam_winbind.so try_first_pass ![Allow Samba AD Users to Change Passwords](http://www.tecmint.com/wp-content/uploads/2016/11/Allow-Samba-AD-Users-to-Change-Password.png) ][14] -允许 Samba AD 用户修改密码 +*允许 Samba AD 用户修改密码* -在每次 PAM 更新安装完成并应用到 PAM 模块,或者你每次执行 pam-auth-update 命令后,你都需要删除 use_authton 选项。 +在每次 PAM 更新安装完成并应用到 PAM 模块,或者你每次执行 `pam-auth-update` 命令后,你都需要删除 `use_authtok` 参数。 -19. Samba4 的二进制文件会生成一个内建的 windindd 进程,并且默认是启用的。 +19、 Samba4 的二进制文件会生成一个内建的 windindd 进程,并且默认是启用的。 因此,你没必要再次去启用并运行 Ubuntu 系统官方自带的 winbind 服务。 @@ -235,31 +243,33 @@ $ sudo systemctl disable winbind.service $ sudo systemctl stop winbind.service ``` -并且,我们也没必要再运行原有的 winbind 进程,但是为了安装并使用 wbinfo 工具,我们还得从系统软件库中安装 Winbind 包。 +虽然我们不再需要运行原有的 winbind 进程,但是为了安装并使用 wbinfo 工具,我们还得从系统软件库中安装 Winbind 包。 -Wbinf 工具可以用来从 winbindd 进程侧来查询活动目录用户和组。 +wbinfo 工具可以用来从 winbindd 进程侧来查询活动目录用户和组。 -以下命令显示了使用 wbinfo 命令如何查询 AD 用户及组信息。 +以下命令显示了使用 `wbinfo` 命令如何查询 AD 用户及组信息。 ``` $ wbinfo -g $ wbinfo -u $ wbinfo -i your_domain_user -``` +``` + [ ![Check Samba4 AD Information ](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Information-of-Samba4-AD.png) ][15] -检查 Samba4 AD 信息 +*检查 Samba4 AD 信息* + [ ![Check Samba4 AD User Info](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Info.png) ][16] -检查 Samba4 AD 用户信息 +*检查 Samba4 AD 用户信息* -20. 除了 wbinfo 工具外,你也可以使用 getent 命令行工具从 Name Service Switch 库中查询活动目录信息库,在 /etc/nsswitch.conf 配置文件中有相关描述内容。 +20、 除了 `wbinfo` 工具外,你也可以使用 `getent` 命令行工具从 Name Service Switch 库中查询活动目录信息库,在 `/etc/nsswitch.conf` 配置文件中有相关描述内容。 -getent 命令使用管道符及 grep 选项来过滤结果集,以获取信息库中 AD 域用户及组信息。 +通过 grep 命令用管道符从 `getent` 命令过滤结果集,以获取信息库中 AD 域用户及组信息。 ``` # getent passwd | grep TECMINT @@ -269,92 +279,96 @@ getent 命令使用管道符及 grep 选项来过滤结果集,以获取信息 ![Get Samba4 AD Details](http://www.tecmint.com/wp-content/uploads/2016/11/Get-Samba4-AD-Details.png) ][17] -查看 Samba4 AD 详细信息 +*查看 Samba4 AD 详细信息* ### 第三步:使用活动目录账号登录 Linux 系统 -21. 为了使用 Samba4 AD 用户登录系统,使用 `su -` 命令切换到 AD 用户账号即可。 +21、 为了使用 Samba4 AD 用户登录系统,使用 `su -` 命令切换到 AD 用户账号即可。 -第一次登录系统后,控制台会有信息提示用户的 home 目录已创建完成,系统路径为 `/home/$DOMAIN/` ,名字为用户的 AD 账号名。 +第一次登录系统后,控制台会有信息提示用户的 home 目录已创建完成,系统路径为 `/home/$DOMAIN/` 之下,名字为用户的 AD 账号名。 -使用 id 命令来查询其它已登录的用户信息。 +使用 `id` 命令来查询其它已登录的用户信息。 ``` # su - your_ad_user $ id $ exit -``` +``` + [ ![Check Samba4 AD User Authentication on Linux](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Authentication-on-Linux.png) ][18] -检查 Linux 下 Samba4 AD 用户认证结果 +*检查 Linux 下 Samba4 AD 用户认证结果* -22. 当你成功登入系统后,在控制台下输入 passwd 命令来修改已登录的 AD 用户密码。 +22、 当你成功登入系统后,在控制台下输入 `passwd` 命令来修改已登录的 AD 用户密码。 ``` $ su - your_ad_user $ passwd ``` + [ ![Change Samba4 AD User Password](http://www.tecmint.com/wp-content/uploads/2016/11/Change-Samba4-AD-User-Password.png) ][19] -修改 Samba4 AD 用户密码 +*修改 Samba4 AD 用户密码* -23. 默认情况下,为了完成 Linux 系统的管理性工作,活动目录用户没有 root 账号权限。 +23、 默认情况下,活动目录用户没有可以完成系统管理工作的 root 权限。 要授予 AD 用户 root 权限,你必须把用户名添加到本地 sudo 组中,可使用如下命令完成。 -确保你已输入域,斜杠和 AD 用户名,并且使用英文单引号括起来,如下所示: +确保你已输入域 、斜杠和 AD 用户名,并且使用英文单引号括起来,如下所示: ``` # usermod -aG sudo 'DOMAIN\your_domain_user' ``` -要检查 AD 用户在本地系统上是否有 root 权限,登录后执行一个命令,比如,使用 sudo 权限执行 apt-get update 命令。 +要检查 AD 用户在本地系统上是否有 root 权限,登录后执行一个命令,比如,使用 sudo 权限执行 `apt-get update` 命令。 ``` # su - tecmint_user $ sudo apt-get update -``` +``` + [ ![Grant sudo Permission to Samba4 AD User](http://www.tecmint.com/wp-content/uploads/2016/11/Grant-sudo-Permission-to-Samba4-AD-User.png) ][20] -授予 Samba4 AD 用户 sudo 权限 +*授予 Samba4 AD 用户 sudo 权限* -24. 如果你想把活动目录组中的所有账号都授予 root 权限,使用 visudo 命令来编辑 /etc/sudoers 配置文件,在 root 权限那一行添加如下内容: +24、 如果你想把活动目录组中的所有账号都授予 root 权限,使用 `visudo` 命令来编辑 `/etc/sudoers` 配置文件,在 root 权限那一行添加如下内容: ``` %DOMAIN\\your_domain\ group ALL=(ALL:ALL) ALL ``` -注意 sudoers 这个单词不要分开写。 +注意 `/etc/sudoers` 的格式,不要弄乱。 -Sudoers 配置文件对于 ASCII 字符处理的不是很好,因此务必使用 '%' 来标识用户组,使用反斜杠来转义域名后的第一个斜杠,如果你的组名中包含空格(大多数 AD 内建组默认情况下包含空格)使用另外一个反斜杠来转义空格。并且域的名称要大写。 +`/etc/sudoers` 配置文件对于 ASCII 引号字符处理的不是很好,因此务必使用 '%' 来标识用户组,使用反斜杠来转义域名后的第一个斜杠,如果你的组名中包含空格(大多数 AD 内建组默认情况下都包含空格)使用另外一个反斜杠来转义空格。并且域的名称要大写。 [ ![Give Sudo Access to All Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/Give-Sudo-Access-to-All-Samba4-AD-Users.png) ][21] -授予所有 Samba4 用户 sudo 权限 +*授予所有 Samba4 用户 sudo 权限* -好了,差不多就这些了!管理 Samba4 AD 架构也可以使用 Windows 环境中的其它几个工具,比如 ADUC,DNS 管理器, GPM 等等,这些工具可以通过安装从 Microsoft 官网下载的 RSAT 软件包来获得。 +好了,差不多就这些了!管理 Samba4 AD 架构也可以使用 Windows 环境中的其它几个工具,比如 ADUC、DNS 管理器、 GPM 等等,这些工具可以通过安装从 Microsoft 官网下载的 RSAT 软件包来获得。 + +要通过 RSAT 工具来管理 Samba4 AD DC ,你必须要把 Windows 系统加入到 Samba4 活动目录。这将是我们下一篇文章的重点,在这之前,请继续关注。 -要通过 RSAT 工具来管理 Samba4 AD DC ,你必须要把 Windows 系统加入到 Samba4 活动目录。这将是我们下一篇文章的重点,在这之前,多关注 TechMint 网站内容。 -------------------------------------------------------------------------------- via: http://www.tecmint.com/manage-samba4-active-directory-linux-command-line -作者:[Matei Cezar ][a] +作者:[Matei Cezar][a] 译者:[rusking](https://github.com/rusking) -校对:[校对者ID](https://github.com/校对者ID) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 [a]:http://www.tecmint.com/author/cezarmatei/ -[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ +[1]:https://linux.cn/article-8065-1.html [2]:http://www.tecmint.com/60-commands-of-linux-a-guide-from-newbies-to-system-administrator/ [3]:http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Administration-Tool.png [4]:http://www.tecmint.com/wp-content/uploads/2016/11/Create-User-on-Samba-AD.png From 0645045b027f5c0216c32832282f61f211a80762 Mon Sep 17 00:00:00 2001 From: wxy Date: Wed, 28 Dec 2016 11:18:19 +0800 Subject: [PATCH 034/181] =?UTF-8?q?PUB:20161124=20How=20to=20Manage=20Samb?= =?UTF-8?q?a4=20AD=20Infrastructure=20from=20Linux=20Command=20Line=20?= =?UTF-8?q?=E2=80=93=20Part=202?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @rusking --- ...e Samba4 AD Infrastructure from Linux Command Line – Part 2.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md (100%) diff --git a/translated/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md b/published/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md similarity index 100% rename from translated/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md rename to published/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md From 9552da39e1395707e9ee91d9538283e644f3415a Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Wed, 28 Dec 2016 11:33:16 +0800 Subject: [PATCH 035/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E4=B8=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对中 --- ...Debt —Here'sHowtoBuild Technical Wealth.MD | 41 +++++++++---------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD index b6c5594622..8cf0df1a10 100644 --- a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD +++ b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD @@ -9,52 +9,52 @@ ### 反思遗留代码 -关于遗留代码最广泛的定义由Michael Feathers在他的著作[修改代码的艺术][56][][55]一书中提出:遗留代码就是没有被测试的代码。这个定义比大多数人所认为的——遗留代码仅指那些古老陈旧的系统这个说法要妥当得多。但是Goulet认为这两种定义都不够明确。“随时软件周期的生长,遗留代码显得毫无用处。一两年的应用程序,其代码已经进入遗留状态了,”她说。“最重要的是如何提高软件质量的难易程度。” +关于遗留代码最常见的定义是由 Michael Feathers 在他的著作[《高效利用遗留代码》Working Effectively with Legacy Code][56]一书中提出:遗留代码就是没有被测试的代码。这个定义比大多数人所认为的 —— 遗留代码仅指那些古老陈旧的系统这个说法要妥当得多。但是 Goulet 认为这两种定义都不够明确。“遗留代码与软件的年头儿毫无关系。一个两年的应用程序,其代码可能已经进入遗留状态了,”她说。“关键要看软件质量提高的难易程度。” -这意味着代码写得不够清楚,缺少解释说明,没有任何关于你写的代码构件和做出这个决定的流程。一个单元测试属于一种类型的构件,也包括所有的你写那部分代码的原因以及逻辑推理相关的文档。当你去修复代码的过程中,如果没办法搞清楚原开发者的意图,那些代码就属于遗留代码了。 +这意味着代码写得不够清楚,缺少解释说明,没有包含任何关于代码构思和决策制定的流程。单元测试可以有一定帮助,但也要包括所有的写那部分代码的原因以及逻辑推理相关的文档。如果想要提升代码,但没办法搞清楚原开发者的意图 —— 那些代码就属于遗留代码了。 -> 遗留代码不是技术问题,而是沟通上的问题 +> **遗留代码不是技术问题,而是沟通上的问题。** ![](https://s3.amazonaws.com/marquee-test-akiaisur2rgicbmpehea/H4y9x4gQj61G9aK4v8Kp_Screen%20Shot%202016-08-11%20at%209.16.38%20AM.png) -如果你像Goulet所说的那样迷失在遗留代码里,你会发现每一次的沟通交流过程都会变得像那条鲜为人知的[康威定律][54]所描述的一样。 +如果你像 Goulet 所说的那样迷失在遗留代码里,你会发现每一次的沟通交流过程都会变得像那条[康威定律Conway’s Law][54]所描述的一样。 -Goulet说:“这个定律认为系统的基础架构能反映出你们整个公司的组织沟通结构,如果你想修复你们公司的遗留代码而没有一个好的组织沟通方式是不可能完成的。那是很多人都没注意到的一个重要环节。” +Goulet 说:“这个定律认为系统的基础架构能反映出整个公司的组织沟通结构,如果想修复公司的遗留代码,而没有一个好的组织沟通方式是不可能完成的。那是很多人都没注意到的一个重要环节。” -Goulet和她的团队成员更像是考古学家一样来研究遗留系统项目。他们根据前开发者写的代码构件相关的线索来推断出他们的思想意图。然后再根据这些构件之间的关系来作出新的决策。 +Goulet 和她的团队成员更像是考古学家一样来研究遗留系统项目。他们根据前开发者写的代码构件相关的线索来推断出他们的思想意图。然后再根据这些构件之间的关系来做出新的决策。 -最重要的代码构件是什么呢?良好的代码结构、清晰的思想意图、整洁的代码。例如,如果你使用了通用的名称如”foo“或”bar“来命名一个变量,半年后你再返回来看这段代码时,你根本就看不出这个变量的用途是什么。 +最重要的代码是什么样子呢?**良好的代码结构、清晰的思想意图、整洁的代码**。例如,如果使用通用的名称如 “foo” 或 “bar” 来命名一个变量,半年后再返回来看这段代码时,根本就看不出这个变量的用途是什么。 -如果代码读起来很困难,可以使用源代码控制系统,这是一个非常有用的构件,因为从该构件可以看出代码的历史修改信息,这为软件开发者写明他们作出本次修改的原因提供一个很好的途径。 +如果代码读起来很困难,可以使用源代码控制系统,这是一个非常有用的工具,因为它可以提供代码的历史修改信息,并允许软件开发者写明他们作出本次修改的原因。 -Goulet说:”我一个朋友认为对于代码注释的信息,如有需要,每一个概要部分的内容应该有推文的一半多,而代码的描述信息应该有一篇博客那么长。你得用这个方式来为你修改的代码写一个合理的说明。这也不会浪费太多的时间,并且给后期的项目开发者提供更多有用的信息,但是让人惊讶的是没人会这么做。我们经常听到一些很沮丧的开发人员在调试一段代码的过程中报怨这是谁写的这烂代码,最后发现还不是他们自己写的。“ +Goulet 说:“我一个朋友认为提交代码时附带的信息,如需要,每一个概要部分的内容应该有推文的一半多,而代码的描述信息应该有一篇博客那么长。你得用这个方式来为你修改的代码写一个合理的说明。这不会浪费太多额外的时间,并且能给后期的项目开发者提供非常多的有用的信息,但是让人惊讶的是很少有人会这么做。我们经常听到一些开发人员在调试代码的过程中,很沮丧的报怨这是谁写的这烂代码,最后发现还不是他们自己写的。” -使用自动化测试对于理解程序的流程非常有用。Goulet解释道:“很多人都比较认可Michael Feathers提出的关于遗留代码的定义,尤其是我们与[行为驱动开发模式][53]相结合的过程中使用测试套件,比如编写测试场景,这对于理解开发者的意图来说是非常有用的工具。 +使用自动化测试对于理解程序的流程非常有用。Goulet 解释道:“很多人都比较认可 Michael Feathers 提出的关于遗留代码的定义。测试套件对于理解开发者的意图来说是非常有用的工具,尤其当用来与[行为驱动开发模式Behavior Driven Development][53]相结合时,比如编写测试场景。” -理由很简单,如果你想把遗留代码的程度降到最低,你得多注意下代码的易理解性以及将来回顾该代码的一些细节上。编写并运行单元程序、接受、认可,并且进行集成测试,写清楚注释的内容。方便以后你自己或是别人来理解你写的代码。 +理由很简单,如果你想利用好遗留代码,你得多注意使代码在将来易于理解和工作的一些细节上。编写并运行单元程序、接受、认可,并且进行集成测试,写清楚注释的内容。方便以后你自己或是别人来理解你写的代码。 尽管如此,由于很多已知的和不可意料的原因,遗留代码仍然会发生。 -在创业公司刚成立初期,公司经常会急于推出很多新的功能。开发人员在巨大的压力下一边完成项目交付一边测试系统缺陷。Corgibytes团队就遇到过好多公司很多年都懒得对系统做详细的测试了。 +在创业公司刚成立初期,公司经常会急于推出很多新的功能。开发人员在巨大的交付压力下,测试常常半途而废。Corgibytes 团队就遇到过好多公司很多年都懒得对系统做详细的测试了。 -确实如此,当你急于开发出系统原型的时候,强制性地去做太多的系统测试也许意义不大。但是,一旦产品开发完成并投入使用后,你就不得投入大量的时间精力来维护及完善系统。“很多人觉得运维没什么好担心的,重要的是产品功能特性上的强大。如果真这样,当系统规模到一定程序的时候,就很难再扩展了。同时也就失去市场竞争力了。 +确实如此,当你急于开发出系统原型的时候,强制性地去做太多的测试也许意义不大。但是,一旦产品开发完成并投入使用后,你就需要投入时间精力来维护及完善系统了。Goulet 说:“很多人觉得运维没什么好担心的,重要的是产品功能特性上的强大。如果真这样,当系统规模到一定程序的时候,就很难再扩展了。同时也就失去市场竞争力了。 -最后才明白过来,原来热力学第二定律对你们公司的代码也同样适用:你所面临的一切将向熵增的方向发展。你需要与混乱无序的技术债务进行一场无休无止的战斗。并且随着时间的增长,遗留代码也逐渐变成一种简单类型的债务。 +最后才明白过来,原来热力学第二定律对代码也同样适用:你所面临的一切将向熵增的方向发展。你需要与混乱无序的技术债务进行一场无休无止的战斗。遗留代码随着时间的增长,也逐渐变成一种债务。 -她说:“我们再次拿家来做比喻。你必须坚持每天收拾餐具,打扫卫生,倒垃圾。如果你不这么做,情况将来越来越糟糕,直到有一天你不得不向HazMat团队求助。” +她说:“我们再次拿家来做比喻。你必须坚持每天收拾餐具,打扫卫生,倒垃圾。如果你不这么做,情况将来越来越糟糕,直到有一天你不得不向 HazMat 团队求助。”(译者注:HazMat 团队,危害物质专队) -就跟这种情况一样,Corgibytes团队接到很多公司CEO的求助电话,比如Features公司的CEO在电话里抱怨道:“现在我们公司的开发团队工作效率太低了,三年前只需要两个星期就完成的工作,现在却要花费12个星期。” +就跟这种情况一样,Corgibytes 团队接到很多公司 CEO 的求助电话,比如 Features 公司的 CEO 在电话里抱怨道:“现在我们公司的开发团队工作效率太低了,三年前只需要两个星期就完成的工作,现在却要花费12个星期。” -> 技术债务往往反应出公司运作上的问题 +> **技术债务往往反应出公司运作上的问题。** -很多公司的CEO明知会发生技术债务的问题,但是他们也难让其它同事相信花钱来修复那些已经存在的问题是很值的。这看起来像是在走回头路,很乏味或者没有新的产品。有些公司直到系统已经严重的影响了日常工作效率时才着手去处理技术债务方面的问题,那时付出的代价就太高了。 +很多公司的 CTO 明知会发生技术债务的问题,但是他们很难说服其它同事相信,花钱来修复那些已经存在的问题是值得的。这看起来像是在走回头路,很乏味或者没有新的产品。有些公司直到系统已经严重影响了日常工作效率时,才着手去处理这些技术债务方面的问题,那时付出的代价就太高了。 ### 忘记债务,创造技术财富 -# 推荐文章 - 如果你想把[重构技术债务][52]作为一个积累技术财富的机会-[敏捷开发讲师Declan Whelan最近提到的一个术语][51],你很可能要先说服你们公司的CEO、投资者和其它的股东登上这条财富之船。 +You’re much more likely to get your CEO, investors and other stakeholders on board if you reframe your technical debt as an opportunity to accumulate technical wealth — a term recently coined by agile development coach Declan Whelan. +“We need to stop thinking about debt as evil. Technical debt can be very useful when you’re in the early-stage trenches of designing and building your product,” says Goulet. “And when you resolve some debt, you’re giving yourself momentum. When you install new windows in your home, yes you’re spending a bunch of money, but then you save a hundred dollars a month on your electric bill. The same thing happens with code. Only instead of efficiency, you gain productivity that compounds over time.” “我们没必要把技术债务想像得很可怕。当产品处于开发设计初期,技术债务反而变得非常有用,”Goulet说。“当你解决一些系统遗留的技术问题时,你会充满成就感。例如,当你在自己家里安装新窗户时,你确实会花费一笔不少的钱,但是之后你每个月就可以节省100美元的电费。程序代码亦是如此。这虽然暂时没有提高工作效率,但是随时时间地推移将为你们公司创造更多的生产率。“ 一旦你意识到项目团队工作不再富有成效时,你必须要确认下是哪些技术债务在拖后腿了。 @@ -277,7 +277,6 @@ via: http://firstround.com/review/forget-technical-debt-heres-how-to-build-techn [52]:https://www.agilealliance.org/resources/initiatives/technical-debt/ [53]:https://en.wikipedia.org/wiki/Behavior-driven_development [54]:https://en.wikipedia.org/wiki/Conway%27s_law -[55]:https://www.amazon.com/Working-Effectively-Legacy-Michael-Feathers/dp/0131177052 [56]:https://www.amazon.com/Working-Effectively-Legacy-Michael-Feathers/dp/0131177052 [57]:http://corgibytes.com/ [58]:https://www.linkedin.com/in/andreamgoulet From c9d0435f4a18af6f6489a2e1473f6263e0b10924 Mon Sep 17 00:00:00 2001 From: geekpi Date: Wed, 28 Dec 2016 11:37:33 +0800 Subject: [PATCH 036/181] translated --- .../LXD/Part 9 - LXD 2.0--Live migration.md | 110 +++++++++--------- 1 file changed, 54 insertions(+), 56 deletions(-) rename {sources => translated}/tech/LXD/Part 9 - LXD 2.0--Live migration.md (58%) diff --git a/sources/tech/LXD/Part 9 - LXD 2.0--Live migration.md b/translated/tech/LXD/Part 9 - LXD 2.0--Live migration.md similarity index 58% rename from sources/tech/LXD/Part 9 - LXD 2.0--Live migration.md rename to translated/tech/LXD/Part 9 - LXD 2.0--Live migration.md index 07e7729157..afbbd8bd24 100644 --- a/sources/tech/LXD/Part 9 - LXD 2.0--Live migration.md +++ b/translated/tech/LXD/Part 9 - LXD 2.0--Live migration.md @@ -1,38 +1,36 @@ -translating----geekpi +LXD 2.0 系列(九):实时迁移 +====================================== -Part 9 - LXD 2.0: Live migration -================================= - -This is the ninth blog post [in this series about LXD 2.0][0]. +这是 [LXD 2.0 系列介绍文章][0]的第九篇。 ![](https://linuxcontainers.org/static/img/containers.png) -### Introduction +### 介绍 -One of the very exciting feature of LXD 2.0, albeit experimental, is the support for container checkpoint and restore. +LXD 2.0中的有一个尽管是实验性质的但非常令人兴奋的功能,那就是支持容器检查点和恢复。 -Simply put, checkpoint/restore means that the running container state can be serialized down to disk and then restored, either on the same host as a stateful snapshot of the container or on another host which equates to live migration. +简单地说,检查点/恢复意味着正在运行的容器状态可以被序列化到磁盘,然后在与容器状态快照相同的主机上或者在等同于实时迁移的另一主机上恢复。 -### Requirements +### 要求 -To have access to container live migration and stateful snapshots, you need the following: +要访问容器实时迁移和有状态快照,你需要以下条件: -- A very recent Linux kernel, 4.4 or higher. -- CRIU 2.0, possibly with some cherry-picked commits depending on your exact kernel configuration. -- Run LXD directly on the host. It’s not possible to use those features with container nesting. -- For migration, the target machine must at least implement the instruction set of the source, the target kernel must at least offer the same syscalls as the source and any kernel filesystem which was mounted on the source must also be mountable on the target. +- 一个最近的Linux内核,4.4或更高版本。 +- CRIU 2.0,可能有一些cherry-pick的提交,具体取决于你确切的内核配置。 +- 直接在主机上运行LXD。 不能在容器嵌套下使用这些功能。 +- 对于迁移,目标机器必须至少实现源的指令集,目标内核必须至少提供与源相同的系统调用,并且在源上挂载的任何内核文件系统也必须可挂载到目标主机上。 -All the needed dependencies are provided by Ubuntu 16.04 LTS, in which case, all you need to do is install CRIU itself: +Ubuntu 16.04 LTS已经提供了所有需要的依赖,在这种情况下,您只需要安装CRIU本身: ``` apt install criu ``` -### Using the thing +### 使用CRIU -#### Stateful snapshots +#### 有状态快照 -A normal container snapshot looks like: +一个普通的快照看上去像这样: ``` stgraber@dakara:~$ lxc snapshot c1 first @@ -40,7 +38,7 @@ stgraber@dakara:~$ lxc info c1 | grep first first (taken at 2016/04/25 19:35 UTC) (stateless) ``` -A stateful snapshot instead looks like: +一个有状态快照看上去像这样: ``` stgraber@dakara:~$ lxc snapshot c1 second --stateful @@ -48,24 +46,24 @@ stgraber@dakara:~$ lxc info c1 | grep second second (taken at 2016/04/25 19:36 UTC) (stateful) ``` -This means that all the container runtime state was serialized to disk and included as part of the snapshot. Restoring one such snapshot is done as you would a stateless one: +这意味着所有容器运行时状态都被序列化到磁盘并且作为了快照的一部分。就像你还原无状态快照那样还原一个有状态快照: ``` stgraber@dakara:~$ lxc restore c1 second stgraber@dakara:~$ ``` -#### Stateful stop/start +#### 有状态快照的停止/启动 -Say you want to reboot your server for a kernel update or similar maintenance. Rather than have to wait for all the containers to start from scratch after reboot, you can do: +比方说你想要升级内核或者其他类似的维护。与其等待所有的容器启动,你可以: ``` stgraber@dakara:~$ lxc stop c1 --stateful ``` -The container state will be written to disk and then picked up the next time you start it. +容器状态将会写入到磁盘,会在下次启动时读取。 -You can even look at what the state looks like: +你甚至可以看到像下面那样的状态: ``` root@dakara:~# tree /var/lib/lxd/containers/c1/rootfs/state/ @@ -228,15 +226,15 @@ root@dakara:~# tree /var/lib/lxd/containers/c1/rootfs/state/ 0 directories, 154 files ``` -Restoring the container can be done with a simple: +还原容器也很简单: ``` stgraber@dakara:~$ lxc start c1 ``` -### Live migration +### 实时迁移 -Live migration is basically the same as the stateful stop/start above, except that the container directory and configuration happens to be moved to another machine too. +实时迁移基本上与上面的有状态快照的停止/启动相同,除了容器目录和配置被移动到另一台机器上。 ``` stgraber@dakara:~$ lxc list c1 @@ -266,52 +264,52 @@ stgraber@dakara:~$ lxc list s-tollana: +------+---------+-----------------------+----------------------------------------------+------------+-----------+ ``` -### Limitations +### 限制 -As I said before, checkpoint/restore of containers is still pretty new and we’re still very much working on this feature, fixing issues as we are made aware of them. We do need more people trying this feature and sending us feedback, I would however not recommend using this in production just yet. +正如我之前说的,容器的检查点/恢复还是非常新的功能,我们还在努力地开发这个功能、修复问题已知问题。我们确实需要更多的人来尝试这个功能,并给我们反馈,但我不建议在生产中使用这个功能。 -The current list of issues we’re tracking is [available on Launchpad][1]. +我们跟踪的问题列表在[Launchpad上][1]。 -We expect a basic Ubuntu container with a few services to work properly with CRIU in Ubuntu 16.04. However more complex containers, using device passthrough, complex network services or special storage configurations are likely to fail. +我们期望在Ubuntu 16.04上有一个基本的带有几个服务的Ubuntu容器能够与CRIU一起工作。然而在更复杂的容器、使用设备传递、复杂的网络服务或特殊的存储配置可能会失败。 -Whenever possible, CRIU will fail at dump time, rather than at restore time. In such cases, the source container will keep running, the snapshot or migration will simply fail and a log file will be generated for debugging. +只要有可能,CRIU会在转储时失败,而不是在恢复时。在这种情况下,源容器将继续运行,快照或迁移将会失败,并生成一个日志文件用于调试。 -In rare cases, CRIU fails to restore the container, in which case the source container will still be around but will be stopped and will have to be manually restarted. +在极少数情况下,CRIU无法恢复容器,在这种情况下,源容器仍然存在但将被停止,并且必须手动重新启动。 -### Sending bug reports +### 发送bug报告 -We’re tracking bugs related to checkpoint/restore against the CRIU Ubuntu package on Launchpad. Most of the work to fix those bugs will then happen upstream either on CRIU itself or the Linux kernel, but it’s easier for us to track things this way. +我们正在跟踪Launchpad上关于CRIU Ubuntu软件包的检查点/恢复相关的错误。大多数修复bug工作是在上游的CRIU或Linux内核上,但是这种方式我们更容易跟踪。 -To file a new bug report, head here. +要提交新的bug报告,请看这里。 -Please make sure to include: +请务必包括: -The command you ran and the error message as displayed to you +你运行的命令和显示给你的错误消息 -- Output of “lxc info” (*) -- Output of “lxc info ” -- Output of “lxc config show –expanded ” -- Output of “dmesg” (*) -- Output of “/proc/self/mountinfo” (*) -- Output of “lxc exec — cat /proc/self/mountinfo” -- Output of “uname -a” (*) -- The content of /var/log/lxd.log (*) -- The content of /etc/default/lxd-bridge (*) -- A tarball of /var/log/lxd// (*) +- “lxc info”的输出(*) +- “lxc info ”的输出 +- “lxc config show -expanded ”的输出 +- “dmesg”(*)的输出 +- “/proc/self/mountinfo”的输出(*) +- “lxc exec - cat /proc/self/mountinfo”的输出 +- “uname -a”(*)的输出 +- /var/log/lxd.log(*)的内容 +- /etc/default/lxd-bridge(*)的内容 +- /var/log/lxd// 的tarball(*) -If reporting a migration bug as opposed to a stateful snapshot or stateful stop bug, please include the data for both the source and target for any of the above which has been marked with a (*). +如果报告迁移错误,而不是状态快照或有状态停止错误,请将上面所有含有(*)标记的源与目标主机的信息发来。 -### Extra information +### 额外信息 -The CRIU website can be found at: +CRIU 的网站在: -The main LXD website is at: +LXD 的主站在: -Development happens on Github at: +LXD 的 GitHub 仓库: -Mailing-list support happens on: +LXD 的邮件列表: -IRC support happens in: #lxcontainers on irc.freenode.net +LXD 的 IRC 频道: #lxcontainers on irc.freenode.net -------------------------------------------------------------------------------- @@ -319,7 +317,7 @@ IRC support happens in: #lxcontainers on irc.freenode.net via: https://www.stgraber.org/2016/03/19/lxd-2-0-your-first-lxd-container-312/ 作者:[Stéphane Graber][a] -译者:[译者ID](https://github.com/译者ID) +译者:[geekpi](https://github.com/geekpi) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 From 5b12f9c9fdeac50961ec0a45820dfe1aaa30ca04 Mon Sep 17 00:00:00 2001 From: wxy Date: Wed, 28 Dec 2016 17:13:20 +0800 Subject: [PATCH 037/181] PROOF:20161201 How to Build an Email Server on Ubuntu Linux MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @WangYiHang 首先恭喜你完成了第一篇译稿。等下就会发布到网站、微博、微信。不过这篇稿件中有一些小问题,希可以提请注意: 1、咱们仓库有篇中文排版指北,你可以参考一下,最典型的就是英文和中文间要加个空格。 2、维持原文的 MD 标签,大部分都没问题,就是丢了链接了 看的出来是认真翻译了,也做了不少功课,辛苦了。我做的校对你可以参考下。加油! --- ...o Build an Email Server on Ubuntu Linux.md | 252 +++++++++--------- 1 file changed, 123 insertions(+), 129 deletions(-) diff --git a/translated/tech/20161201 How to Build an Email Server on Ubuntu Linux.md b/translated/tech/20161201 How to Build an Email Server on Ubuntu Linux.md index 91f480b7b1..9672383e61 100644 --- a/translated/tech/20161201 How to Build an Email Server on Ubuntu Linux.md +++ b/translated/tech/20161201 How to Build an Email Server on Ubuntu Linux.md @@ -1,130 +1,124 @@ -如何在Ubuntu环境下搭建邮件服务器 -============================================================ - - ![mail server](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/mail-stack.jpg?itok=SVMfa8WZ "mail server") -在这个系列的文章中,我们将通过使用Postfix,Dovecot,和openssl这三款工具来为你展示如何在ubuntu系统上搭建一个既可靠又很容易配置的邮件服务器。[Creative Commons Zero][2]Pixabay - -在这个容器和宏服务技术日新月异的时代,值得庆幸的是有些事情并没有改变,例如搭建一个Linux下的邮件服务器, It's still a dance of many steps and knitting together several different servers, 一旦你将这些步骤组合在一起,一切都是那么和谐稳定, instead of winking in and out of existence like microservices. 在这一系列的教程中,我们将在ubuntu系统上构建一个既可靠又容易配置的邮件服务器通过使用Postfix, Dovecot, 和OpenSSL这三款工具。 - -Postfix是一个古老又可靠的软件,它比sendmail更加容易配置和使用,原始的Unix系统的MTA软件(还有人仍然在用sendmail吗?). Exim是一个在Debain系统上的默认的MTA软件,它比postfix更加轻量而且超级容易配置,因此我们在将来的教程中会推出Exim的教程。 -(翻译者注 : MTA : 将来自MUA的信件转发给指定的用户的程序一般被称之为因特网邮件传送代理MTA(Mail Transfer Agent , 详情请阅读[维基百科](https://en.wikipedia.org/wiki/Message_transfer_agent))。在linux/Unix系统上,最著名的MTA有sendamil、qmail等程序。)。 - - -Dovecot(译者注 : 详情请阅读[维基百科](https://en.wikipedia.org/wiki/Dovecot_(software)))和Courier是两个非常受欢迎的优秀的IMAP/POP3协议的服务器软件,Dovecot更加的轻量并且更加容易配置。 - -你必须要保证你的邮件是安全的,因此我们就需要使用到OpenSSL这个软件,OPENSSL也支持一些很好用的工具来测试你的邮件服务器。 - -为了简单起见,在这一系列的教程中,我们将指导大家安装一个在公网上的邮件服务器,你应该拥有一个公网的网络而且需要确保它是开启的而且正在正常工作,[查看如何获取一个公网服务器的教程请点击这里],然后,你就可以注册你的域名,将你的域名解析到你的公网服务器的IP,并为你的服务器配置相应的防火墙,这个过程网上已经有很多很详细的教程了,这里不再赘述,请大家认真完成这个作业。 - -### 一些术语 - -让我们先来快速了解一些术语,因为当我们了解了这些术语的时候就能知道这些见鬼的东西到底是什么。 :D - -> * **MTA**: Mail transfer agent(邮件转发代理) 基于SMTP协议(简单邮件传输协议)的服务端, 就像Postfix,Exim,Sendmail ,SMTP服务端在这些工具之间进行相互通信。 -* **MUA**: Mail user agent(邮件用户代理)你本地的邮件客户端,例如 : Evolution, KMail, Claws Mail, 或者 Thunderbird(译者注 : 例如国内的foxmail)。 -* **POP3**: Post-office protocol, the simplest(邮局协议版本3) POP3协议,这个简单的协议是为了从SMTP服务器中获取邮件并提供给你本地的邮件客户端,一个POP服务端是非常简单而且很小巧的,你可以为数以千计的用户提供服务(From a single box?)。 -* **IMAP**: Interactive message access protocol IMAP协议(邮件访问协议),许多企业使用这个协议因为邮件可以被保存在服务器上,所以用户不必担心会丢失消息,IMAP服务器需要大量的内存和存储空间。 -* **TLS**: Transport socket layer(安全传输层协议),一个SSL(Secure Sockets Layer 安全套接层)的改良版,为身份认证提供了加密的传输服务。 -* **SASL**: Simple authentication(简单验证安全层) and security layer 简单身份认证与安全层 ,为需要加密身份认证的用户服务,SASL进行身份认证,而上面说的TLS保证数据进行加密传输。 -* **StartTLS**: 一个像TLS一样众所周知的协议 它提供一种方式将纯文本连接升级为加密连接(TLS或SSL)。 - 只有通信的双方都支持SSL/TLS的时候才会进行加密,如果一方不支持加密,则使用明文传输).StartTLS会使用标准的端口 25 (SMTP), 110 (POP3), and 143 (IMAP) 来进行明文通信以代替对应端口的加密通信465 (SMTP), 995 (POP3), and 993 (IMAP) - -### 是的 , 我们仍然在使用snedmail这个工具 - - 绝大多数的Linux版本仍然还保留着 `/usr/sbin/sendmail` . 在大多数的Linux发行版中,`/usr/sbin/sendmail` 会创建一个符号链接到你已经安装的MTA软件,然而很多版本的Linux依然还保留着`/usr/sbin/sendmail`,这也是故意这样做的。 - -### 如何安装postfix - -`apt-get install postfix` -你可以直接使用apt-get来安装,在你安装postfix你要特别小心,安装程序会打开一个向导,这个向导会询问你想到搭建的服务器类型,你要选择"Internet Server",为你的公网服务器,假设你的域名服务已经正确配置,(我这么多次提到这个是因为经常有人在这里出现错误),你可以使用你的hostname 。 - - - - ![Postfix](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/postfix-1.png?itok=NJLdtICb "Postfix") - -图 1: `Postfix` 的配置。[Creative Commons Zero][1]Carla Schroder - -ubuntu系统会为postfix创建一个配置文件启动三个守护进程 : `master, qmgr`, and `pickup`,There is no Postfix command or daemon. - -``` -$ ps ax - 6494 ? Ss 0:00 /usr/lib/postfix/master - 6497 ? S 0:00 pickup -l -t unix -u -c - 6498 ? S 0:00 qmgr -l -t unix -u -``` - -你可以使用postfix对你的配置文件的语法进行检查,如果你的配置文件是没有语法错误的,那么就不会有相应的输出。 - -``` -$ sudo postfix check -[sudo] password for carla: -``` - -可以使用 `netstat` 来验证 `postfix` 是否正在监听25端口。 - -``` -$ netstat -ant -tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -tcp6 0 0 :::25 :::* LISTEN -``` - -现在让我们再来让古老的 `telnet` 躁起来进行测试 : - -``` -$ telnet myserver 25 -Trying 127.0.1.1... -Connected to myserver. -Escape character is '^]'. -220 myserver ESMTP Postfix (Ubuntu) -**EHLO myserver** -250-myserver -250-PIPELINING -250-SIZE 10240000 -250-VRFY -250-ETRN -250-STARTTLS -250-ENHANCEDSTATUSCODES -250-8BITMIME -250 DSN -**^]** - -telnet> -``` - -嘿,我们已经验证了我们的服务器名,而且postfix正在监听25端口而且正常响应了我们键入的命令。 - - -输入quit来退出telnet,例如 : 你刚才键入你服务器的交互环境的那些命令是粗体显示的,输出的信息是ESMTP协议的状态码。 -(译者注 : ESMTP (Extended SMTP),是扩展 SMTP 就是对标准 SMTP 协议进行的扩展. 详情请阅读[维基百科](https://en.wikipedia.org/wiki/Extended_SMTP)) - -> * PIPELINING 允许多个命令同时执行,而不必对每个命令作出响应。 -* SIZE tells 表示服务器可接收的最大消息大小。 -* VRFY 可以告诉客户端某一个特定的邮箱地址是否存在,这通常被忽略 ,因为有可能会是一个安全漏洞。 -* ETRN 适用于具有不规则(不规则的)互联网连接(连接,连通性)的站点。这样的站点可以使用ETRN从上游服务器请求邮件传递(交付),并且Postfix可以配置为将推送(推送)邮件传递到ETRN客户端。 -* STARTTLS (详情见上述说明)。 -* ENHANCEDSTATUSCODES, 增强型的状态码和错误码。 -* 8BITMIME, 支持8位MIME,这意味着完整的ASCII字符集。一次一次,原始的ASCII是7位。 -* DSN, 传输状态通知,通知你传输时的错误。 - -postfix的主配置文件是 : `/etc/postfix/main.cf`,这个文件是安装程序创建的,可以查看这个资料 : 来查看这个配置文件的列表, `/etc/postfix/postfix-files`这个文件描述了postfix完整的安装过程 - -下周的教程我们会讲解Dovecot的安装和测试,然后会给我们自己发送一些邮件。 - --------------------------------------------------------------------------------- - -via: https://www.linux.com/learn/how-build-email-server-ubuntu-linux - -作者:[CARLA SCHRODER][a] -译者:[WangYihang](https://github.com/WangYihang) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.linux.com/users/cschroder -[1]:https://www.linux.com/licenses/category/creative-commons-zero -[2]:https://www.linux.com/licenses/category/creative-commons-zero -[3]:https://www.linux.com/files/images/postfix-1png -[4]:https://www.linux.com/files/images/mail-stackjpg -[5]:https://www.linux.com/learn/dnsmasq-easy-lan-name-services -[6]:http://www.postfix.org/postconf.5.html +如何在 Ubuntu 环境下搭建邮件服务器(一) +============================================================ + +![mail server](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/mail-stack.jpg?itok=SVMfa8WZ "mail server") + +在这个系列的文章中,我们将通过使用 Postfix、Dovecot 和 openssl 这三款工具来为你展示如何在 ubuntu 系统上搭建一个既可靠又易于配置的邮件服务器。 + +在这个容器和微服务技术日新月异的时代,值得庆幸的是有些事情并没有改变,例如搭建一个 Linux 下的邮件服务器,仍然需要许多步骤才能间隔各种服务器耦合在一起,而当你将这些配置好,放在一起,却又非常可靠稳定,不会像微服务那样一睁眼有了,一闭眼又没了。 在这个系列教程中我们将通过使用 Postfix、Dovecot 和 openssl 这三款工具在 ubuntu 系统上搭建一个既可靠又易于配置的邮件服务器。 + +Postfix 是一个古老又可靠的软件,它比原始的 Unix 系统的 MTA 软件 sendmail 更加容易配置和使用(还有人仍然在用sendmail 吗?)。 Exim 是 Debain 系统上的默认 MTA 软件,它比 Postfix 更加轻量而且超级容易配置,因此我们在将来的教程中会推出 Exim 的教程。 + +Dovecot(LCTT 译注:详情请阅读[维基百科](https://en.wikipedia.org/wiki/Dovecot_(software))和 Courier 是两个非常受欢迎的优秀的 IMAP/POP3 协议的服务器软件,Dovecot 更加的轻量并且易于配置。 + +你必须要保证你的邮件通讯是安全的,因此我们就需要使用到 OpenSSL 这个软件,OpenSSL 也提供了一些很好用的工具来测试你的邮件服务器。 + +为了简单起见,在这一系列的教程中,我们将指导大家安装一个在局域网上的邮件服务器,你应该拥有一个局域网内的域名服务,并确保它是启用且正常工作的,查看这篇“[使用 dnsmasq 为局域网轻松提供 DNS 服务][5]”会有些帮助,然后,你就可以通过注册域名并相应地配置防火墙,来将这台局域网服务器变成互联网可访问邮件服务器。这个过程网上已经有很多很详细的教程了,这里不再赘述,请大家继续跟着教程进行即可。 + +### 一些术语 + +让我们先来快速了解一些术语,因为当我们了解了这些术语的时候就能知道这些见鬼的东西到底是什么。 :D + +* **MTA**:邮件传输代理(Mail Transfer Agent),基于 SMTP 协议(简单邮件传输协议)的服务端,比如 Postfix、Exim、Sendmail 等。SMTP 服务端彼此之间进行相互通信(LCTT 译注 : 详情请阅读[维基百科](https://en.wikipedia.org/wiki/Message_transfer_agent))。 +* **MUA**: 邮件用户代理(Mail User Agent),你本地的邮件客户端,例如 : Evolution、KMail、Claws Mail 或者 Thunderbird(LCTT 译注 : 例如国内的 Foxmail)。 +* **POP3**:邮局协议(Post-Office Protocol)版本 3,将邮件从 SMTP 服务器传输到你的邮件客户端的的最简单的协议。POP 服务端是非常简单小巧的,单一的一台机器可以为数以千计的用户提供服务。 +* **IMAP**: 交互式消息访问协议(Interactive Message Access Protocol),许多企业使用这个协议因为邮件可以被保存在服务器上,而用户不必担心会丢失消息。IMAP 服务器需要大量的内存和存储空间。 +* **TLS**:传输套接层(Transport socket layer)是 SSL(Secure Sockets Layer,安全套接层)的改良版,为 SASL 身份认证提供了加密的传输服务层。 +* **SASL**:简单身份认证与安全层(Simple Authentication and Security Layer),用于认证用户。SASL进行身份认证,而上面说的 TLS 提供认证数据的加密传输。 +* **StartTLS**: 也被称为伺机 TLS 。如果服务器双方都支持 SSL/TLS,StartTLS 就会将纯文本连接升级为加密连接(TLS 或 SSL)。如果有一方不支持加密,则使用明文传输。StartTLS 会使用标准的未加密端口 25 (SMTP)、 110(POP3)和 143 (IMAP)而不是对应的加密端口 465(SMTP)、995(POP3) 和 993 (IMAP)。 + +### 啊,我们仍然有 sendmail + +绝大多数的 Linux 版本仍然还保留着 `/usr/sbin/sendmail` 。 这是在那个 MTA 只有一个 sendmail 的古代遗留下来的痕迹。在大多数 Linux 发行版中,`/usr/sbin/sendmail` 会符号链接到你安装的 MTA 软件上。如果你的 Linux 中有它,不用管它,你的发行版会自己处理好的。 + +### 安装 Postfix + +使用 `apt-get install postfix` 来做基本安装时要注意(图 1),安装程序会打开一个向导,询问你想要搭建的服务器类型,你要选择“Internet Server”,虽然这里是局域网服务器。它会让你输入完全限定的服务器域名(例如: myserver.mydomain.net)。对于局域网服务器,假设你的域名服务已经正确配置,(我多次提到这个是因为经常有人在这里出现错误),你也可以只使用主机名。 + +![Postfix](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/postfix-1.png?itok=NJLdtICb "Postfix") + +*图 1:Postfix 的配置。* + +Ubuntu 系统会为 Postfix 创建一个配置文件,并启动三个守护进程 : `master`、`qmgr` 和 `pickup`,这里没用一个叫 Postfix 的命令或守护进程。(LCTT 译注:名为 `postfix` 的命令是管理命令。) + +``` +$ ps ax + 6494 ? Ss 0:00 /usr/lib/postfix/master + 6497 ? S 0:00 pickup -l -t unix -u -c + 6498 ? S 0:00 qmgr -l -t unix -u +``` + +你可以使用 Postfix 内置的配置语法检查来测试你的配置文件,如果没用发现语法错误,不会输出任何内容。 + +``` +$ sudo postfix check +[sudo] password for carla: +``` + +使用 `netstat` 来验证 `postfix` 是否正在监听 25 端口。 + +``` +$ netstat -ant +tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN +tcp6 0 0 :::25 :::* LISTEN +``` + +现在让我们再操起古老的 `telnet` 来进行测试 : + +``` +$ telnet myserver 25 +Trying 127.0.1.1... +Connected to myserver. +Escape character is '^]'. +220 myserver ESMTP Postfix (Ubuntu) +EHLO myserver +250-myserver +250-PIPELINING +250-SIZE 10240000 +250-VRFY +250-ETRN +250-STARTTLS +250-ENHANCEDSTATUSCODES +250-8BITMIME +250 DSN +^] + +telnet> +``` + +嘿,我们已经验证了我们的服务器名,而且 Postfix 正在监听 SMTP 的 25 端口而且响应了我们键入的命令。 + +按下 `^]` 终止连接,返回 telnet。输入 `quit` 来退出 telnet。输出的 ESMTP(扩展的 SMTP ) 250 状态码如下。 +(LCTT 译注: ESMTP (Extended SMTP),即扩展 SMTP,就是对标准 SMTP 协议进行的扩展。详情请阅读[维基百科](https://en.wikipedia.org/wiki/Extended_SMTP)) + +* **PIPELINING** 允许多个命令流式发出,而不必对每个命令作出响应。 +* **SIZE** 表示服务器可接收的最大消息大小。 +* **VRFY** 可以告诉客户端某一个特定的邮箱地址是否存在,这通常应该被取消,因为这是一个安全漏洞。 +* **ETRN** 适用于非持久互联网连接的服务器。这样的站点可以使用 ETRN 从上游服务器请求邮件投递,Postfix 可以配置成延迟投递邮件到 ETRN 客户端。 +* **STARTTLS** (详情见上述说明)。 +* **ENHANCEDSTATUSCODES**,服务器支撑增强型的状态码和错误码。 +* **8BITMIME**,支持 8 位 MIME,这意味着完整的 ASCII 字符集。最初,原始的 ASCII 是 7 位。 +* **DSN**,投递状态通知,用于通知你投递时的错误。 + +Postfix 的主配置文件是: `/etc/postfix/main.cf`,这个文件是安装程序创建的,可以参考[这个资料][6]来查看完整的 `main.cf` 参数列表, `/etc/postfix/postfix-files` 这个文件描述了 Postfix 完整的安装文件。 + +下一篇教程我们会讲解 Dovecot 的安装和测试,然后会给我们自己发送一些邮件。 + +-------------------------------------------------------------------------------- + +via: https://www.linux.com/learn/how-build-email-server-ubuntu-linux + +作者:[CARLA SCHRODER][a] +译者:[WangYihang](https://github.com/WangYihang) +校对:[wxy](https://github.com/wxy) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linux.com/users/cschroder +[1]:https://www.linux.com/licenses/category/creative-commons-zero +[2]:https://www.linux.com/licenses/category/creative-commons-zero +[3]:https://www.linux.com/files/images/postfix-1png +[4]:https://www.linux.com/files/images/mail-stackjpg +[5]:https://www.linux.com/learn/dnsmasq-easy-lan-name-services +[6]:http://www.postfix.org/postconf.5.html From 2e08bbba8839a2c0b5320874840a0ea594d8fea4 Mon Sep 17 00:00:00 2001 From: wxy Date: Wed, 28 Dec 2016 17:13:40 +0800 Subject: [PATCH 038/181] PUB:20161201 How to Build an Email Server on Ubuntu Linux @WangYiHang --- .../20161201 How to Build an Email Server on Ubuntu Linux.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20161201 How to Build an Email Server on Ubuntu Linux.md (100%) diff --git a/translated/tech/20161201 How to Build an Email Server on Ubuntu Linux.md b/published/20161201 How to Build an Email Server on Ubuntu Linux.md similarity index 100% rename from translated/tech/20161201 How to Build an Email Server on Ubuntu Linux.md rename to published/20161201 How to Build an Email Server on Ubuntu Linux.md From ef2f6b43d9f5a49ce9105850b471bda0ca9f5e4e Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Wed, 28 Dec 2016 17:31:40 +0800 Subject: [PATCH 039/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E5=AE=8C=E6=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对完毕 --- ...Debt —Here'sHowtoBuild Technical Wealth.MD | 145 +++++++++--------- 1 file changed, 70 insertions(+), 75 deletions(-) diff --git a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD index 8cf0df1a10..5fddb125d5 100644 --- a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD +++ b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD @@ -1,5 +1,4 @@ -# Forget Technical Debt —Here'sHowtoBuild Technical Wealth -#忘记技术债务——教你如何创造技术财富 +#忘记技术债务 —— 教你如何创造技术财富 电视里正播放着《老屋》节目,[Andrea Goulet][58] 和她商业上的合作伙伴正悠闲地坐在客厅里,商讨着他们的战略计划。那正是大家思想的火花碰撞出创新事物的时刻。他们正在寻求一种能够实现自身价值的方式 —— 为其它公司清理遗留代码legacy code及科技债务。他们此刻的情景,像极了电视里的场景。(译者注:《老屋》电视节目提供专业的家装,家庭改建,重新装饰,创意等等信息,与软件的改造有异曲同工之处)。 @@ -51,27 +50,25 @@ Goulet 说:“我一个朋友认为提交代码时附带的信息,如需要 ### 忘记债务,创造技术财富 -如果你想把[重构技术债务][52]作为一个积累技术财富的机会-[敏捷开发讲师Declan Whelan最近提到的一个术语][51],你很可能要先说服你们公司的CEO、投资者和其它的股东登上这条财富之船。 -You’re much more likely to get your CEO, investors and other stakeholders on board if you reframe your technical debt as an opportunity to accumulate technical wealth — a term recently coined by agile development coach Declan Whelan. +如果你想把[重构技术债务reframe your technical debt][52] — [敏捷开发讲师 Declan Whelan 最近造出的一个术语][51] — 作为一个积累技术财富的机会,你很可能要先说服你们公司的 CEO、投资者和其它的股东接受并为之共同努力。 -“We need to stop thinking about debt as evil. Technical debt can be very useful when you’re in the early-stage trenches of designing and building your product,” says Goulet. “And when you resolve some debt, you’re giving yourself momentum. When you install new windows in your home, yes you’re spending a bunch of money, but then you save a hundred dollars a month on your electric bill. The same thing happens with code. Only instead of efficiency, you gain productivity that compounds over time.” -“我们没必要把技术债务想像得很可怕。当产品处于开发设计初期,技术债务反而变得非常有用,”Goulet说。“当你解决一些系统遗留的技术问题时,你会充满成就感。例如,当你在自己家里安装新窗户时,你确实会花费一笔不少的钱,但是之后你每个月就可以节省100美元的电费。程序代码亦是如此。这虽然暂时没有提高工作效率,但是随时时间地推移将为你们公司创造更多的生产率。“ +“我们没必要把技术债务想像得很可怕。当产品处于开发设计初期,技术债务反而变得非常有用,”Goulet 说。“当你解决一些系统遗留的技术问题时,你会充满成就感。例如,当你在自己家里安装新窗户时,你确实会花费一笔不少的钱,但是之后你每个月就可以节省 100 美元的电费。程序代码亦是如此。虽然暂时没有提高工作效率,但随时时间推移将提高生产力。” -一旦你意识到项目团队工作不再富有成效时,你必须要确认下是哪些技术债务在拖后腿了。 +一旦你意识到项目团队工作不再富有成效时,就需要确认下是哪些技术债务在拖后腿了。 -“我跟很多不惜一切代价招募英才的初创公司交流过,他们高薪聘请一些工程师来只为了完成更多的工作。”她说。”相反的是,他们应该找出如何让原有的每个工程师都更高效率工作的方法。你需要去解决什么样的技术债务以增加额外的生产率?" +“我跟很多不惜一切代价招募英才的初创公司交流过,他们高薪聘请一些工程师来只为了完成更多的工作。”她说。“与此相反,他们应该找出如何让原有的每个工程师能更高效率工作的方法。你需要去解决什么样的技术债务以增加额外的生产率?” -如果你改变自己的观点并且专注于创造技术财富,你将会看到产能过剩的现象,然后重新把多余的产能投入到修复更多的技术债务和遗留代码的的良性循环中。你们的产品将会走得更远,发展得更好。 +如果你改变自己的观点并且专注于创造技术财富,你将会看到产能过剩的现象,然后重新把多余的产能投入到修复更多的技术债务和遗留代码的良性循环中。你们的产品将会走得更远,发展得更好。 -> 别想着把你们公司的软件当作一个项目来看。从现在起,你把它想象成一栋自己要长久居住的房子。 +> **别把你们公司的软件当作一个项目来看。从现在起,把它想象成一栋自己要长久居住的房子。** -“这是一个极其重要的思想观念的转变,”Goulet说。“这将带你走出短浅的思维模式,并且你会比之前更加关注产品的维护工作。” +“这是一个极其重要的思想观念的转变,”Goulet 说。“这将带你走出短浅的思维模式,并让你比之前更加关注产品的维护工作。” -这就像一栋房子,要实现其现代化的改造方式有两种:小动作,表面上的更改(“我买了一块新的小地毯!”)和大改造,需要很多年才能偿还所有债务(“我假设我们将要替换掉所有的管道...")。你必须考虑好两者才能你们已有的产品和整个团队顺利地运作起来。 +这就像对一栋房子,要实现其现代化及维护的方式有两种:小动作,表面上的更改(“我买了一块新的小地毯!”)和大改造,需要很多年才能偿还所有债务(“我想我们应替换掉所有的管道...”)。你必须考虑好两者,才能让你们已有的产品和整个团队顺利地运作起来。 -这还需要提前预算好——否则那些较大的花销将会是硬伤。定期维护是最基本的预期费用。让人震惊的是,很多公司在商务上都没把维护成本预算进来。 +这还需要提前预算好 —— 否则那些较大的花销将会是硬伤。定期维护是最基本的预期费用。让人震惊的是,很多公司在商务上都没把维护成本预算进来。 -这就是Goulet提出软件重构这个术语的原因。当你房子里的一些东西损坏的时候,你不用铲除整个房子而是重新修复坏掉的那一部分就可以了。同样的,当你们公司出现老的,损坏的代码时,重写代码通常不是最明智的选择。 +这就是 Goulet 提出“**软件重构software remodeling**”这个术语的原因。当你房子里的一些东西损坏的时候,你并不是铲除整个房子,从头开始重建。同样的,当你们公司出现老的,损坏的代码时,重写代码通常不是最明智的选择。 下面是Corgibytes公司在重构客户代码用到的一些方法: @@ -81,134 +78,132 @@ You’re much more likely to get your CEO, investors and other stakeholders on b * 集合自动化测试来检查代码可用性。 * 重构或者修改代码库来提高易用性。 -系统重构也进入到运维领域。比如,Corgibytes公司经常推荐新客户使用[Docker][50],以便简单快速的部属新的开发环境。当你们公司有30个工程师的时候,把初始化配置时间从10小时减少到10分钟对完成更多的工作很有帮助。系统重构不仅仅是应用于软件开发本身,也包括如何进行系统重构。 +系统重构也进入到运维领域。比如,Corgibytes公司经常推荐新客户使用 [Docker][50],以便简单快速的部署新的开发环境。当你们团队有30个工程师的时候,把初始化配置时间从 10 小时减少到 10 分钟对完成更多的工作很有帮助。系统重构不仅仅是应用于软件开发本身,也包括如何进行系统重构。 -如果你知道有什么新的技术能让你们的代码管理起来更容易,创建更高效,就应该把这它们写入到每年或季度项目规划中。你别指望它们会自动呈现出来。但是也别给自己太大的压力来马上实施它们。Goulets看到很多公司从一开始就这些新的技术进行100%覆盖率测试而陷入困境。 +如果你知道做些什么能让你们的代码管理起来更容易更高效,就应该把这它们写入到每年或季度的项目规划中。别指望它们会自动呈现出来。但是也别给自己太大的压力来马上实施它们。Goulets 看到很多公司从一开始就致力于100% 覆盖率测试而陷入困境。 -具体来说,每个公司都应该把以下三种类型的重构工作规划到项目建设中来: - -* 自动化测试 +**具体来说,每个公司都应该把以下三种类型的重构工作规划到项目建设中来:** +*   +自动化测试 * 持续性交付 * 文化提升 -咱们来深入的了解下每一项内容 +咱们来深入的了解下每一项内容。 -自动化测试 +**自动化测试 -“有一位客户即将进行第二轮融资,但是他们却没办法在短期内招聘到足够的人才。我们帮助他们引进了一种自动化测试框架,这让他们的团队在3个月的时间内工作效率翻了一倍,”Goulets说。“这样他们就可以在他们的投资人面前自豪的说,”我们的一个精英团队完成的任务比两个普通的团队要多。“” + “有一位客户即将进行第二轮融资,但是他们没办法在短期内招聘到足够的人才。我们帮助他们引进了一种自动化测试框架,这让他们的团队在 3 个月的时间内工作效率翻了一倍,”Goulets说。“这样他们就可以在他们的投资人面前自豪的说,‘我们一个精英团队完成的任务比两个普通的团队要多。’” 自动化测试从根本上来讲就是单个测试的组合。你可以使用单元测试再次检查某一行代码。可以使用集成测试来确保系统的不同部分都正常运行。还可以使用验收性测试来检验系统的功能特性是否跟你想像的一样。当你把这些测试写成测试脚本后,你只需要简单地用鼠标点一下按钮就可以让系统自行检验了,而不用手工的去梳理并检查每一项功能。 -在产品的市场定位前就来制定自动化测试机制是有些言之过早了。但是如果你有一款信心满满的产品,并且也很依赖客户,那就更应该把这件事考虑在内了。 +在产品市场尚未打开之前就来制定自动化测试机制有些言之过早。但是一旦你有一款感到满满,并且客户也很依赖的产品,就应该把这件事付诸实施了。 -持续性交付 +**持续性交付** -这是与自动化交付相关的工作,过去是需要人工完成。目的是当系统部分修改完成时可以迅速进行部属,并且短期内得到反馈。这给公司在其它竞争对手面前有很大的优势,尤其是在售后服务行业。 +这是与自动化交付相关的工作,过去是需要人工完成。目的是当系统部分修改完成时可以迅速进行部署,并且短期内得到反馈。这使公司在其它竞争对手面前有很大的优势,尤其是在售后服务行业。 -“比如说你每次部属系统时环境都很复杂。熵值无法有效控制,”Goulets说。“我们曾经花了12个小时甚至更多的时间来部属一个很大的集群环境。然而,想必你将来也不会经常干部属新环境这样的工作。因为太折腾人了,而且还推迟了系统功能上线的时间。同时你也落后于其它公司并失去竞争力了。 +“比如说你每次部署系统时环境都很复杂。熵值无法有效控制,”Goulets 说。“我们曾经见过花 12 个小时甚至更多的时间来部署一个很大的集群环境。在这种情况下,你不会愿意频繁部署了。因为太折腾人了,你还会推迟系统功能上线的时间。这样,你将落后于其它公司并失去竞争力。” -在持续性改进的过程中常见的其它自动化任务包括: +**在持续性改进的过程中常见的其它自动化任务包括:** -* 在提交完成之后检查中断部分。 +*   在提交完成之后检查中断部分。 * 在出现故障时进行回滚操作。 * 审查自动化代码的质量。 * 根据需求增加或减少服务器硬件资源。 * 让开发,测试及生产环境配置简单易懂。 -举一个简单的例子,比如说一个客户提交了一个系统Bug报告。开发团队越高效解决并修复那个Bug越好。对于开发人员来说,修复Bug的挑战根本不是个事儿,这本来也是他们的强项,主要是系统设置上不够完善导致他们浪费太多的时间去处理bug以外的其它问题。 +举一个简单的例子,比如说一个客户提交了一个系统 Bug 报告。开发团队越高效解决并修复那个 Bug 越好。对于开发人员来说,修复 Bug 的挑战根本不是个事儿,这本来也是他们的强项,主要是系统设置上不够完善导致他们浪费太多的时间去处理 bug 以外的其它问题。 -使用持续改进的方式时,在你决定哪些工作应该让机器去做还是最好丢给研发去完成的时候,你会变得很严肃无情。如果选择让机器去处理,你得使其自动化完成。这样也能让研发很愉快地去解决其它有挑战性的问题。同时客户也会很高兴地看到他们报怨的问题被快速处理了。你的待修复的未完成任务数减少了,之后你就可以把更多的时间投入到运用新的方法来提高公司产品质量上了。 +使用持续改进的方式时,在你决定哪些工作应该让机器去做,哪些最好交给研发去完成的时候,你会变得更干脆了。如果机器更擅长,那就使其自动化完成。这样也能让研发愉快地去解决其它有挑战性的问题。同时客户也会很高兴地看到他们报怨的问题被快速处理了。你的待修复的未完成任务数减少了,之后你就可以把更多的时间投入到运用新的方法来提高公司产品质量上了。**这是创造科技财富的一种转变。**因为开发人员可以修复 bug 后立即发布新代码,这样他们就有时间和精力做更多事。 -”你必须时刻问自己,‘我应该如何为我们的客户改善产品功能?如何做得更好?如何让产品运行更高效?’Goulets说。“一旦你回答完这些问题后,你就得询问下自己如何自动去完成那些需要改善的功能” +“你必须时刻问自己,‘我应该如何为我们的客户改善产品功能?如何做得更好?如何让产品运行更高效?’不过还要不止于此。”Goulets 说。“一旦你回答完这些问题后,你就得询问下自己,如何自动去完成那些需要改善的功能。” -提升企业文化 +**提升企业文化** -Corgibytes公司每天都会遇到同样的问题:一家创业公司建立了一个对开发团队毫无影响的文化环境。公司CEO抱着双臂思考着为什么这样的环境对员工没多少改变。然而事实却是公司的企业文化观念与他们是截然相反的。为了激烈你们公司的工程师,你必须全面地了解他们的工作环境。 +Corgibytes公司每天都会看到同样的问题:一家创业公司建立了一个对开发团队毫无影响的文化环境。公司 CEO 抱着双臂思考着为什么这样的环境对员工没多少改变。然而事实却是公司的企业文化对工作并不利。为了激励工程师,你必须全面地了解他们的工作环境。 -为了证明这一点,Goulet引用了作者Robert Henry说过的一段话: +为了证明这一点,Goulet 引用了作者 Robert Henry 说过的一段话: -> 目的不是创造艺术,而是在最美妙的状态下让艺术应运而生。 +> **目的不是创造艺术,而是在最美妙的状态下让艺术应运而生。** -“也就是说你得开始思考一下你们公司的产品,“她说。”你们的企业文件就应该跟自己的产品一样。你们的目标是永远创造一个让艺术品应运而生的环境,这件艺术品就是你们公司的代码,一流的售后服务、充满幸福感的员工、良好的市场、盈利能力等等。这些都息息相关。“ + “你们也要开始这样思考一下你们的软件,”她说。“你们的企业文件就类似状态。你们的目标是总能创造一个让艺术品应运而生的环境,这件艺术品就是你们公司的代码,一流的售后服务、充满幸福感的开发者、良好的市场、盈利能力等等。这些都息息相关。” -优先考虑公司的技术债务和遗留代码也是一种文化。那才是真正能让开发团队深受影响的方法。同时,这也会让你将来有更多的时间精力去完成更重要的工作。如果你不从根本上改变固有的企业文化环境,你就不可能重构公司产品。改变你所有的对产品维护及现代化上投资的态度是开始实施变革的第一步,最理想情况是从公司的CEO开始转变。 +优先考虑公司的技术债务和遗留代码也是一种文化。那是真正为开发团队清除障碍,以制造影响的方法。同时,这也会让你将来有更多的时间精力去完成更重要的工作。如果你不从根本上改变固有的企业文化环境,你就不可能重构公司产品。改变对产品维护及现代化上投资的态度是开始实施变革的第一步,最理想情况是从公司的CEO开始转变。 -以下是Goulet关于建立那种流态文化方面提出的建议: +以下是 Goulet 关于建立那种流态文化方面提出的建议: -* 反对公司嘉奖那些加班到深夜的”英雄“。提倡高效率的工作方式。 -* 了解协同开发技术,比如Woody Zuill提出的[暴徒编程][44][][43]模式。 -* 遵从4个[现代敏捷开发][42] 原则:用户至上、实践及快速学习、把系统安全放在首位、持续交付价值。 +*   反对公司嘉奖那些加班到深夜的“英雄”。提倡高效率的工作方式。 +*   了解协同开发技术,比如 Woody Zuill 提出的[合作编程Mob Programming][44]模式。 +* 遵从 4 个[现代敏捷开发][42] 原则:用户至上、实践及快速学习、把系统安全放在首位、持续交付价值。 * 每周为研发提供项目外的职业发展时间。 -* 把[日工作记录]作为一种驱动开发团队主动解决问题的方式。 -* 把同情心放在第一位。Corgibytes公司让员工参加[Brene Brown勇气工厂][40]的培训是非常有用的。 +* 把[日工作记录][43]作为一种驱动开发团队主动解决问题的方式。 +* 把同情心放在第一位。Corgibytes 公司让员工参加 [Brene Brown 勇气工厂][40]的培训是非常有用的。 -”如果公司高管和投资者不支持这种文件升级方式,你得从客户服务的角度去说服他们,“Goulet说,”告诉他们通过这次调整后,最终产品将如何给公司的大客户提高更好的体验。这是你能做的一个很有力的论点。“ +“如果公司高管和投资者不支持这种升级方式,你得从客户服务的角度去说服他们,”Goulet 说,“告诉他们通过这次调整后,最终产品将如何给公司的大客户提高更好的体验。这是你能做的一个很有力的论点。” -### 寻找最具天财的代码重构者 +### 寻找最具天才的代码重构者 -整个行业都认为那些顶尖的工程师都不愿意去干修复遗留代码的工作。他们只想着去开发新的东西。大家都说把他们留在维护部门真是太浪费人才了。 +整个行业都认为顶尖的工程师不愿意干修复遗留代码的工作。他们只想着去开发新的东西。大家都说把他们留在维护部门真是太浪费人才了。 -其实这些都是误解。如果你知道如何寻找到那些技术精湛的工程师以为他们提供一个愉快的工作环境,你可以安排他们来帮你解决那些最棘手的技术债务问题。 +其实这些都是误解。如果你知道去哪里和如何找工程师,并为他们提供一个愉快的工作环境,你就可以找到技术非常精湛的工程师,来帮你解决那些最棘手的技术债务问题。 -”每一次开会的时候,我们都会问现场的同事’谁喜欢去干遗留代码的工作?‘但是也只有那么不到10%的同事会举手。“Goulet说。”但是当我跟这些人交流的过程中,我发现这些工程师恰好是喜欢最具挑战性工作的人才。“ +“每一次开会的时候,我们都会问现场的同事‘谁喜欢去干遗留代码的工作?’每次只有不到 10% 的同事会举手。”Goulet 说。“但是我跟这些人交流后,我发现这些工程师恰好是喜欢最具挑战性工作的人才。” -有一位客户来寻求她的帮助,他们使用国产的数据库,没有任何相关文档,也没有一种有效的方法来弄清楚他们公司的产品架构。她称那些类似于面包和黄油的一类工程师为”修正者“。在Corgibytes公司,她有一支这样的修正者团队由她支配,他们没啥爱好,只喜欢通过研究二进制代码来解决技术问题。 +有一位客户来寻求她的帮助,他们使用国产的数据库,没有任何相关文档,也没有一种有效的方法来弄清楚他们公司的产品架构。她称修理这种情况的一类工程师为“修正者”。在Corgibytes公司,她有一支这样的修正者团队由她支配,热衷于通过研究二进制代码来解决技术问题。 ![](https://s3.amazonaws.com/marquee-test-akiaisur2rgicbmpehea/BeX5wWrESmCTaJYsuKhW_Screen%20Shot%202016-08-11%20at%209.17.04%20AM.png) -那么,如何才能找到这些技术人才呢?Goulet尝试过各种各样的方法,其中有一些方法还是富有成效的。 +那么,如何才能找到这些技术人才呢? Goulet 尝试过各种各样的方法,其中有一些方法还是富有成效的。 -她创办了一个社区网站[legacycode.rocks][49]并且在招聘启示上写道:”长期招聘那些喜欢重构遗留代码的另类开发人员...如果你以从事处理遗留代码的工作为自豪,欢迎加入!“ +她创办了一个社区网站 [legacycode.rocks][49] 并且在招聘启示上写道:“长期招聘那些喜欢重构遗留代码的另类开发人员...如果你以从事处理遗留代码的工作为自豪,欢迎加入!” -”我刚开始收到很多这些人发来邮件说,’噢,天呐,我也属于这样的开发人员!‘“她说。”我开始发布这条信息,并且告诉他们这份工作是非常有意义的,以吸引合适的人才“ +“我开始收到很多人发来邮件说,‘噢,天呐,我也属于这样的开发人员!’”她说。“只需要发布这条信息,并且告诉他们这份工作是非常有意义的,就吸引了合适的人才。” -推荐文章 +在招聘的过程中,她也会使用持续性交付的经验来回答那些另类开发者想知道的信息:包括详细的工作内容以及明确的要求。“我这么做的原因是因为我讨厌重复性工作。如果我收到多封邮件来咨询同一个问题,我会把答案发布在网上,我感觉自己更像是在写说明文档一样。” -在招聘的过程中,她也会使用持续性交付的经验来回答那些另类开发者想知道的信息:包括详细的工作内容以及明确的要求。我这么做的原因是因为我讨厌重复性工作。如果我收到多封邮件来咨询同一个问题,我会把答案发布在网上,我感觉自己更像是在写说明文档一样。” +但是随着时间的推移,她发现可以重新定义招聘流程来帮助她识别出更出色的候选人。比如说,她在应聘要求中写道,“公司 CEO 将会重新审查你的简历,因此请确保求职信中致意时不用写明性别。所有以‘尊敬的先生’或‘先生’开头的信件将会被当垃圾处理掉”。这些只是她的招聘初期策略。 -但是随着时间的推移,她注意到她会重新定义招聘流程来帮助她识别出更出色的候选人。比如说,她在应聘要求中写道,“公司CEO将会重新审查你的简历,因此确保邮件发送给CEO时”不用写明性别。所有以“尊敬的先生或女士”开头的信件将会被当垃圾处理掉。然后,这只不过是她招聘初期的策略而已。 +“我开始这么做是因为很多申请人把我当成一家软件公司的男性 CEO,这让我很厌烦,”Goulet 说。“所以,有一天我想我应该它当作应聘要求放到网上,看有多少人注意到这个问题。令我惊讶的是,这让我过滤掉一些不太严谨的申请人。还突显出了很多擅于从事遗留代码方面工作的人。” -“我开始这么做是因为很多申请人把我当成一家软件公司的男性CEO,这让我很厌烦,”Goulet说。“所有,有一天我想我应该它当作应聘要求放到网上,看有多少人注意到这个问题。令我惊讶的是,这让我过滤掉一些不太严谨的申请人。还突显出了很多擅于从事遗留代码方面工作的人。 +Goulet 想起一个应聘者发邮件给我说,“我查看了你们网站的代码(我喜欢这个网站,这也是我的工作)。你们的网站架构很奇特,好像是用 PHP 写的,但是你们却运行在用 Ruby 语言写的 Jekyll 下。我真的很好奇那是什么呢。” -Goulet想起一个应聘者发邮件给我说,“我查看了你们网站的代码(我喜欢这个网站以及你们打招呼的方式,这就是我所希望的)。你们的网站架构很奇特,好像是用PHP写的,但是你们却运行在用Ruby语言写的Jekyll下。我真的很好奇那是什么呢。” +Goulet 从她的设计师那里得知,原来,在 HTML、CSS 和 JavaScript 文件中有一个未使用的 PHP 类名,她一直想解决这个问题,但是一直没机会。Goulet 的回复是:“你正在找工作吗?” -原来是这样的,Goulet从她的设计师那里得知,在HTML、CSS和JavaScript文件中有一个未使用的PHP类名,她一直想解决这个问题,但是一直没机会。她的回复是:“你正在找工作吗?” +另外一名候选人注意到她曾经在一篇说明文档中使用 CTO 这个词,但是她的团队里并没有这个头衔(她的合作伙伴是 Chief Code Whisperer)。这些注重细节、充满求知欲、积极主动的候选者更能引起她的注意。 -另外一名候选人注意到她曾经在一篇说明文档中使用CTO这个词,但是她的团队里并没有这个头衔(她的合作伙伴是首席代码语者)。其次是那些注重细节、充满求知欲、积极主动的候选者更能引起她的注意。 +> **代码修正者不仅需要注重细节,而且这也是他们必备的品质。** -> 代码修正者不仅需要注重细节,而且这也是他们必备的品质。 +让人吃惊的是,Goulet 从来没有为招募最优秀的代码修正者而感到厌烦过。“大多数人都是通过我们的网站直接投递简历,但是当我们想扩大招聘范围的时候,我们会通过 [PowerToFly][48] 和 [WeWorkRemotely][47] 网站进行招聘。我现在确实不需要招募新人马了。他们需要经历一段很艰难的时期才能理解代码修正者的意义是什么。” -让人吃惊的是,Goulet从来没有为招募最优秀的代码修正者而感到厌烦过。”大多数人都是通过我们的网站直接投递简历,但是当我们想扩大招聘范围的时候,我们会通过[PowerToFly][48]和[WeWorkRemotely][47]网站进行招聘。我现在确实不需要招募新人马了。他们需要经历一段很艰难的时期才能理解代码修正者的意义是什么。“ +如果他们通过首轮面试,Goulet 将会让候选者阅读一篇 Arlo Belshee 写的文章“[命名是一个过程Naming is a Process][46]”。它讲的是非常详细的处理遗留代码的的过程。她最经典的指导方法是:“阅读完这段代码并且告诉我,你是怎么理解的。” -如果他们通过首轮面试,Goulet将会让候选者阅读一篇Arlo Belshee写的文章”[命名是一个过程][46]“。它讲的是非常详细的处理遗留代码的的过程。她最经典的指导方法是:”阅读完这段代码并且告诉我,你是怎么理解的。“ +她将找出对问题的理解很深刻并且也愿意接受文章里提出的观点的候选者。这对于区分有深刻理解的候选者和仅仅想获得工作的候选者中来说,是极其有用的办法。她强烈要求候选者找出一段与他操作相关的代码,来证明他是充满激情的、有主见的及善于分析问题的人。 -她将找出对问题的理解很深刻并且也愿意接受文章里提出的观点候选者。这对于筛选出有坚定信念的想被雇用的候选者来说是极其有用的办法。她强力要求候选者找出一段与你操作相关的最关键的代码来证明你是充满激情的、有主见的及善于分析问题的人。 +最后,她会让候选者跟公司里当前的团队成员一起使用 [Exercism.io][45] 工具进行编程。这是一个开源项目,它允许开发者学习如何在不同的编程语言环境下使用一系列的测试驱动开发的练习进行编程。第一部分的协同编程课程允许候选者选择其中一种语言进行内建。下一个练习中,面试者可以选择一种语言进行编程。他们总能看到那些人处理异常的方法、随机应便的能力以及是否愿意承认某些自己不了解的技术。 -最后,她会让候选者跟公司里当前的团队成员一起使用[Exercism.io][45]工具进行编程。这是一个开源项目,它允许开发者学习如何在不同的编程语言环境下使用一系列的测试驱动开发的练习进行编程。第一部分的协同编程课程允许候选者选择其中一种语言进行内建。下一个练习中,面试者可以选择一种语言进行编程。他们总能看到那些人处理异常的方法、随机应便的能力以及是否愿意承认某些自己不了解 的技术。 +“当一个人真正的从执业者转变为大师的时候,他会毫不犹豫的承认自己不知道的东西,”Goulet说。 -“当一个人真正的从专家转变为大师的时候,他才会毫不犹豫的承认自己不知道的东西,“Goulet说。 +让他们使用自己不熟悉的编程语言来写代码,也能衡量其坚韧不拔的毅力。“我们想听到某个人说,‘我会深入研究这个问题直到彻底解决它。’也许第二天他们仍然会跑过来跟我们说,‘我会一直留着这个问题直到我找到答案为止。’那是作为一个成功的修正者表现出来的一种气质。” -让他们使用自己不熟悉的编程语言来写代码也能衡量其坚韧不拔的毅力。”我们想听到某个人说,‘我会深入研究这个问题直到彻底解决它。“也许第二天他们仍然会跑过来跟我们说,’我会一直留着这个问题直到我找到答案为止。‘那是作为一个成功的修正者表现出来的一种气质。“ +> **产品开发人员在我们这个行业很受追捧,因此很多公司也想让他们来做维护工作。这是一个误解。最优秀的维护修正者并不是最好的产品开发工程师。** -> 如果你认为产品开发人员在我们这个行业很受追捧,因此很多公司也想让他们来做维护工作。那你可错了。最优秀的维护修正者并不是最好的产品开发工程师。 - -如果一个有天赋的修正者在眼前,Goulet懂得如何让他走向成功。下面是如何让这种类型的开发者感到幸福及高效工作的一些方式: +如果一个有天赋的修正者在眼前,Goulet 懂得如何让他走向成功。下面是如何让这种类型的开发者感到幸福及高效工作的一些方式: * 给他们高度的自主权。把问题解释清楚,然后安排他们去完成,但是永不命令他们应该如何去解决问题。 * 如果他们要求升级他们的电脑配置和相关工具,尽管去满足他们。他们明白什么样的需求才能最大限度地提高工作效率。 * 帮助他们[避免更换任务][39]。他们喜欢全身心投入到某一个任务直至完成。 -总之,这些方法已经帮助Corgibytes公司培养出20几位对遗留代码充满激情的专业开发者。 +总之,这些方法已经帮助 Corgibytes 公司培养出 20 几位对遗留代码充满激情的专业开发者。 ### 稳定期没什么不好 -大多数创业公司都都不想跳过他们的成长期。一些公司甚至认为成长期应该是永无止境的。而且,他们觉得也没这个必要,即便他们已经进入到了下一个阶段:稳定期。完全进入到稳定期意味着你可以利用当前的人力资源及管理方法在创造技术财富和消耗资源之间做出一个正确的选择。 +大多数创业公司都都不想跳过他们的成长期。一些公司甚至认为成长期应该是永无止境的。而且,他们觉得也没这个必要,即便他们已经进入到了下一个阶段:稳定期。完全进入到稳定期意味着你拥有人力资源及管理方法来创造技术财富,同时根据优先权适当支出。 -”在成长期和稳定期之间有个转折点就是维护人员必须要足够壮大,并且你开始更公平的对待维护人员以及专注新功能的产品开发人员,“Goulet说。”你们公司的产品开发完成了。现在你得让他们更加稳定地运行。“ +“在成长期和稳定期之间有个转折点,就是维护人员必须要足够壮大,并且相对于专注新功能的产品开发人员,你开始更公平的对待维护人员,”Goulet说。“你们公司的产品开发完成了。现在你得让他们更加稳定地运行。” -这就意味着要把公司更多的预算分配到产品维护及现代化方面。”你不应该把产品维护当作是一个不值得关注的项目,“她说。”这必须成为你们公司固有的一种企业文化——这将帮助你们公司将来取得更大的成功。“ +这就意味着要把公司更多的预算分配到产品维护及现代化方面。“你不应该把产品维护当作是一个不值得关注的项目,”她说。“这必须成为你们公司固有的一种企业文化 —— 这将帮助你们公司将来取得更大的成功。“ -最终,你通过这么努力创建的技术财富将会为你的团队带来一大批全新的开发者:他们就像侦查兵一样,有充足的时间和资源去探索新的领域,挖掘新客户资源并且给公司创造更多的机遇。当你们在新的市场领域做得更广泛并且不断发展得更好——那么你们公司已经真正地进入到繁荣发展的状态了。 +最终,你通过这些努力创建的技术财富,将会为你的团队带来一大批全新的开发者:他们就像侦查兵一样,有充足的时间和资源去探索新的领域,挖掘新客户资源并且给公司创造更多的机遇。当你们在新的市场领域做得更广泛并且不断发展得更好 —— 那么你们公司已经真正地进入到繁荣发展的状态了。 -------------------------------------------------------------------------------- @@ -265,7 +260,7 @@ via: http://firstround.com/review/forget-technical-debt-heres-how-to-build-techn [40]:http://www.courageworks.com/ [41]:http://corgibytes.com/blog/2016/08/02/how-we-use-daily-journals/ [42]:https://www.industriallogic.com/blog/modern-agile/ -[43]:http://mobprogramming.org/ +[43]:http://corgibytes.com/blog/2016/08/02/how-we-use-daily-journals/ [44]:http://mobprogramming.org/ [45]:http://exercism.io/ [46]:http://arlobelshee.com/good-naming-is-a-process-not-a-single-step/ From 76455ee5783498ac60020b8d70cafbdde69e9441 Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Wed, 28 Dec 2016 17:35:23 +0800 Subject: [PATCH 040/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E5=AE=8C=E6=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对完毕 --- ...echnical Debt —Here'sHowtoBuild Technical Wealth.MD | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD index 5fddb125d5..fca26ca316 100644 --- a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD +++ b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD @@ -70,7 +70,7 @@ Goulet 说:“我一个朋友认为提交代码时附带的信息,如需要 这就是 Goulet 提出“**软件重构software remodeling**”这个术语的原因。当你房子里的一些东西损坏的时候,你并不是铲除整个房子,从头开始重建。同样的,当你们公司出现老的,损坏的代码时,重写代码通常不是最明智的选择。 -下面是Corgibytes公司在重构客户代码用到的一些方法: +下面是 Corgibytes 公司在重构客户代码用到的一些方法: * 把大型的应用系统分解成轻量级的更易于维护的微服务。 * 相互功能模块之间降低耦合性以便于扩展。 @@ -78,19 +78,19 @@ Goulet 说:“我一个朋友认为提交代码时附带的信息,如需要 * 集合自动化测试来检查代码可用性。 * 重构或者修改代码库来提高易用性。 -系统重构也进入到运维领域。比如,Corgibytes公司经常推荐新客户使用 [Docker][50],以便简单快速的部署新的开发环境。当你们团队有30个工程师的时候,把初始化配置时间从 10 小时减少到 10 分钟对完成更多的工作很有帮助。系统重构不仅仅是应用于软件开发本身,也包括如何进行系统重构。 +系统重构也进入到运维领域。比如,Corgibytes 公司经常推荐新客户使用 [Docker][50],以便简单快速的部署新的开发环境。当你们团队有30个工程师的时候,把初始化配置时间从 10 小时减少到 10 分钟对完成更多的工作很有帮助。系统重构不仅仅是应用于软件开发本身,也包括如何进行系统重构。 如果你知道做些什么能让你们的代码管理起来更容易更高效,就应该把这它们写入到每年或季度的项目规划中。别指望它们会自动呈现出来。但是也别给自己太大的压力来马上实施它们。Goulets 看到很多公司从一开始就致力于100% 覆盖率测试而陷入困境。 **具体来说,每个公司都应该把以下三种类型的重构工作规划到项目建设中来:** -*   -自动化测试 + +* 自动化测试 * 持续性交付 * 文化提升 咱们来深入的了解下每一项内容。 -**自动化测试 +**自动化测试** “有一位客户即将进行第二轮融资,但是他们没办法在短期内招聘到足够的人才。我们帮助他们引进了一种自动化测试框架,这让他们的团队在 3 个月的时间内工作效率翻了一倍,”Goulets说。“这样他们就可以在他们的投资人面前自豪的说,‘我们一个精英团队完成的任务比两个普通的团队要多。’” From b694310ae213175e215e221b09ee18e6fc921ad7 Mon Sep 17 00:00:00 2001 From: vic Date: Wed, 28 Dec 2016 17:58:31 +0800 Subject: [PATCH 041/181] Vic020 translating --- ...1115 Build Deploy and Manage Custom Apps with IBM Bluemix.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161115 Build Deploy and Manage Custom Apps with IBM Bluemix.md b/sources/tech/20161115 Build Deploy and Manage Custom Apps with IBM Bluemix.md index 58acce37da..a0ab5dd8c3 100644 --- a/sources/tech/20161115 Build Deploy and Manage Custom Apps with IBM Bluemix.md +++ b/sources/tech/20161115 Build Deploy and Manage Custom Apps with IBM Bluemix.md @@ -1,3 +1,5 @@ + Vic020 + Build, Deploy and Manage Custom Apps with IBM Bluemix ============================================================ From f4cae21ef1095d31c4e7fe6974fc417bc351575a Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Wed, 28 Dec 2016 18:08:37 +0800 Subject: [PATCH 042/181] Update 20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md --- ...- Move from SQL Server to MySQL as well.md | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md b/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md index 3321ce034e..1259b67ec3 100644 --- a/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md +++ b/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md @@ -15,7 +15,7 @@ 最近几年,数量庞大的个人和组织放弃 Windows 平台选择 Linux 平台,而且随着人们体验到更多 Linux 的发展,这个数字将会继续增长。在很长的一段时间内, Linux是网络服务器的领导者,因为大部分的网络服务器都运行在 Linux 之上,这或许是一个为什么那么多个人和组织选择迁移的原因。 Over the recent years, there has been a large number of individuals as well as organizations who are ditching the Windows platform for Linux platform, and this number will continue to grow as more developments in Linux are experienced. Linux has for long been the leader in Web servers as most of the web servers run on Linux, and this could be one of the reasons why the high migration is being experienced. -迁移的原因有很多,从更强的平台稳定性、可靠性、花费、所有权和安全性。更多的个人和组织迁移到 Linux 平台,MS SQL Server数据库管理系统的迁移也有着同样的趋势, 首选的是MySQL,因为MySQL的互用性、平台独立和低的购置成本。 +迁移的原因有很多,更强的平台稳定性、可靠性、花费、所有权和安全性。更多的个人和组织迁移到 Linux 平台,MS SQL Server数据库管理系统的迁移也有着同样的趋势, 首选的是MySQL,因为MySQL的互用性、平台独立和低的购置成本。 The reasons for this migration are as numerous, ranging from more platform stability, reliability, costs, ownership and security among others. As more entities migrate to the Linux platform, so is the migration from MS SQL server database management system, top MySQL, because of interoperability and platform independence of MySQL, as well as low acquisition costs. 有多少个人和组织完成了迁移,就有多少商业需求应该被满足,迁移,不能只是为了乐趣。同样的,一个综合可行性和成本效益分析是有必要执行的,分析能了解迁移对于你业务上的正面和负面影响。 @@ -35,31 +35,39 @@ Unlike in windows where you are not in full control of the releases and fixes, L The Linux platform far outnumbers Windows in the number of servers that are running on it, nearly a quarter of all servers in the world, and the trend is not about to change anytime soon. Many organizations, therefore, do migrate so as to be fully on Linux rather than running two platforms concurrently, which adds up to their operating costs. ### Microsoft isn’t Open Sourcing SQL Server’s Code -尽管微软宣称他们下一个名为 Denali 的新版 MSSQL Server 将会是一个 Linux 版,但是微软并不会开放源代码,这意味着他们的协议依旧有效。 + +微软宣称他们下一个名为 Denali 的新版 MSSQL Server 将会是一个 Linux 版本,并且不会开放其源代码,这意味着他们的协议依旧有效,但是新版本将能在Linux上运行。这一点将许多乐于接受开源新版的人拒之门外。 + In as much as Microsoft have announced that their next release of MSSQL server (named Denali) will be a Linux version, that will still not open their source code, meaning that their licenses will still apply, but the release will be run on Linux. This still locks out the many users who would happily take to the release if it was open source. +这仍然没有给那些使用闭源的 Oracle 用户另一个选择,使用完全开源的 MySQL 用于也是如此。 This still does not give an alternative to those users who are using Oracle, which is not open source; neither does it to those [using MySQL][7], which is fully open source. ### Saving on License Costs +许可证的潜在成本让许多用户很失望。在 Windows 平台上运行 MSSQL 服务器有太多的许可证牵涉其中。你需要这些许可: The cost implication of licenses is a huge letdown for many users. Running a MSSQL server on Windows platform has too many licenses involved. You need licenses for: -* The windows operating system -* The MSSQL server -* Specific database tools e.g. SQL analytics tools, etc. +*   The windows operating system Windows 操作系统 +*   The MSSQL server MSSQL服务器 +*   Specific database tools e.g. SQL analytics tools, etc.特定的数据库工具例如 SQL 分析工具等 +不像在 Windows 平台上, Linux 完全没有高昂的授权花费,,因此更能吸引用户。 MySQL 数据库也能免费获取,即使他能灵活地当作是一个 MSSQL 服务器。不像那些给 MSSQL 设计的收费程序,大部分的 MySQL 数据库实用程序是免费的。 Unlike in Windows platform, Linux eliminates the issues of high licenses costs, and thus more appealing to users. MySQL database is also a free source even though it offers the flexibility just as MSSQL server, thus it is more preferred. Most of the database utility tools for MySQL are mostly free, unlike for MSSQL. ### Sometimes, the Specific Hardware being Used +因为 Linux 先进和总是被不同的开发者所选择,所以它独立于所运行的硬件之上并能被广泛使用在不同的硬件平台。然而微软正在努力让 Windows 和 MSSQL 服务器拥有硬件独立性,在平台的独立性上依旧有些限制。 Because Linux is developed and always being enhanced by various developers, it is independent of the hardware it operates on and thus widely used on different hardware platforms. However, as much as Microsoft has tried to ensure that Windows and MSSQL server are hardware independent; there are still some limitations in platform independence. ### Support - +有了 Linux 、 MySQL 和其他的开源软件,获取满足自己特定需求的帮助变得更加简单,因为有不同开发者参与到这些软件的开发过程中。这些开发者或许就在你附近,这样更容易获取帮助。在线论坛也能帮上不少,你能发帖并讨论你所面对的问题 With Linux and MySQL, as well as with other open source software, it is easier to get support on the specific need that you have, because there are various developers involved in their development. These developers maybe within your locality, thus are easily reached. Also, online forums are of great help whereby you are able to post and discuss the issues you face. +至于那些商业软件,你只能根据他们的软件协议和时间来获得帮助,有时候他们不能在你的时间范围内给出一个解决方案。 For commercial software, you get support based on their software agreement with you and their timing, and at times may not give you a solution within the timelines that you have. +在不同的情况中,迁移到 Linux 都是你最好的选择,加入一个彻底、稳定可依赖的平台来获取优异表现。总所周知,这比 Windows 要多花费一点精力。这值得一试。 In every case, migrating to Linux gives you the best option and outcome that you can have, by joining a radical, stable and reliable platform, which is known to be more robust than Windows. It is worth a shot. -------------------------------------------------------------------------------- @@ -67,7 +75,7 @@ In every case, migrating to Linux gives you the best option and outcome that you via: https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/ 作者:[Tony Branson ][a] -译者:[译者ID](https://github.com/译者ID) +译者:[ypingcn](https://github.com/ypingcn) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 From 544e279b381b8b1279ff2da4ffa2a181e49f4a20 Mon Sep 17 00:00:00 2001 From: wxy Date: Wed, 28 Dec 2016 18:38:44 +0800 Subject: [PATCH 043/181] =?UTF-8?q?=E5=9B=9E=E6=94=B6=E8=B6=85=E6=9C=9F?= =?UTF-8?q?=E8=AF=91=E6=96=87?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @poodarchu @bjwrkj @messon007 @zky001 --- ...ilding a data science portfolio - Storytelling with data.md | 3 --- sources/tech/20161018 Suspend to Idle.md | 1 - sources/tech/20161103 Perl and the birth of the dynamic web.md | 2 -- ...20161110 How to check if port is in use on Linux or Unix.md | 3 +-- 4 files changed, 1 insertion(+), 8 deletions(-) diff --git a/sources/tech/20160602 Building a data science portfolio - Storytelling with data.md b/sources/tech/20160602 Building a data science portfolio - Storytelling with data.md index 29a37b3d1b..ae5e5b1eec 100644 --- a/sources/tech/20160602 Building a data science portfolio - Storytelling with data.md +++ b/sources/tech/20160602 Building a data science portfolio - Storytelling with data.md @@ -1,6 +1,3 @@ - -@poodarchu 翻译中 - Building a data science portfolio: Storytelling with data ======== diff --git a/sources/tech/20161018 Suspend to Idle.md b/sources/tech/20161018 Suspend to Idle.md index 8a33e01e17..266dd8e7b1 100644 --- a/sources/tech/20161018 Suspend to Idle.md +++ b/sources/tech/20161018 Suspend to Idle.md @@ -1,4 +1,3 @@ -bjwrkj 翻译中.. # Suspend to Idle ### Introduction diff --git a/sources/tech/20161103 Perl and the birth of the dynamic web.md b/sources/tech/20161103 Perl and the birth of the dynamic web.md index 7b816e3c25..e69126e365 100644 --- a/sources/tech/20161103 Perl and the birth of the dynamic web.md +++ b/sources/tech/20161103 Perl and the birth of the dynamic web.md @@ -1,5 +1,3 @@ -**************Translating by messon007****************** - # Perl and the birth of the dynamic web >The fascinating story of Perl's role in the dynamic web spans newsgroups and mailing lists, computer science labs, and continents. diff --git a/sources/tech/20161110 How to check if port is in use on Linux or Unix.md b/sources/tech/20161110 How to check if port is in use on Linux or Unix.md index b1b50578ab..5c2451b9ea 100644 --- a/sources/tech/20161110 How to check if port is in use on Linux or Unix.md +++ b/sources/tech/20161110 How to check if port is in use on Linux or Unix.md @@ -1,4 +1,3 @@ -翻译中 by zky001 How to check if port is in use on Linux or Unix ============================================================ @@ -115,7 +114,7 @@ netstat -bano | findstr /R /C:"[LISTING]" via: https://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/ 作者:[ VIVEK GITE][a] -译者:[zky001](https://github.com/zky001) +译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From 134dc83cbb486bf6d6181f33b44be3583972df27 Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Wed, 28 Dec 2016 21:19:35 +0800 Subject: [PATCH 044/181] Update 20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md --- ...- Move from SQL Server to MySQL as well.md | 65 +++++++------------ 1 file changed, 25 insertions(+), 40 deletions(-) diff --git a/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md b/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md index 1259b67ec3..33619ee143 100644 --- a/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md +++ b/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md @@ -5,70 +5,55 @@ ### 在这篇文章里将会讲 -1.  [To have Control Over the Platform][1] -2. [Joining the Crowd][2] -3. [Microsoft isn’t Open Sourcing SQL Server’s Code][3] -4. [Saving on License Costs][4] -5. [Sometimes, the Specific Hardware being Used][5] -6. [Support][6] +1.  [控制平台][1] +2.  [跟随大众][2] +3.  [微软没有开放 SQL Server 的源代码][3] +4.  [节约许可证的花费][4] +5.  [有时候被使用的特定硬件][5] +6.  [支持][6] 最近几年,数量庞大的个人和组织放弃 Windows 平台选择 Linux 平台,而且随着人们体验到更多 Linux 的发展,这个数字将会继续增长。在很长的一段时间内, Linux是网络服务器的领导者,因为大部分的网络服务器都运行在 Linux 之上,这或许是一个为什么那么多个人和组织选择迁移的原因。 -Over the recent years, there has been a large number of individuals as well as organizations who are ditching the Windows platform for Linux platform, and this number will continue to grow as more developments in Linux are experienced. Linux has for long been the leader in Web servers as most of the web servers run on Linux, and this could be one of the reasons why the high migration is being experienced. -迁移的原因有很多,更强的平台稳定性、可靠性、花费、所有权和安全性。更多的个人和组织迁移到 Linux 平台,MS SQL Server数据库管理系统的迁移也有着同样的趋势, 首选的是MySQL,因为MySQL的互用性、平台独立和低的购置成本。 -The reasons for this migration are as numerous, ranging from more platform stability, reliability, costs, ownership and security among others. As more entities migrate to the Linux platform, so is the migration from MS SQL server database management system, top MySQL, because of interoperability and platform independence of MySQL, as well as low acquisition costs. +迁移的原因有很多,更强的平台稳定性、可靠性、花费、所有权和安全性。更多的个人和组织迁移到 Linux 平台,MS SQL 服务器数据库管理系统的迁移也有着同样的趋势,首选的是 MySQL ,因为 MySQL 的互用性、平台独立和低的购置成本。 -有多少个人和组织完成了迁移,就有多少商业需求应该被满足,迁移,不能只是为了乐趣。同样的,一个综合可行性和成本效益分析是有必要执行的,分析能了解迁移对于你业务上的正面和负面影响。 -As much as the migration is to be done, the need for it should be necessitated by the business and not just for the mere pleasure of it.As such, a comprehensive feasibility and cost-benefit analysis should be carried out to know the impact that the migration will have on your business, both positive and negative. +有多少个人和组织完成了迁移,就应该满足多少商业需求,迁移,不能只是为了乐趣。这样的话,一个综合可行性和成本效益分析是有必要执行的,分析能了解迁移对于你业务上的正面和负面影响。 -迁移需要基于以下的重要因素: -The migration may be based on the following key factors: +迁移需要基于以下重要因素: -### To have Control Over the Platform +### 控制平台 -不像Windows那样每次发布和修复都不能完全掌控,当你需要修复的时候, Linux 真正给了你灵活性去获取他们。这一点受到开发者和安全人员的喜爱,因为他们能在一个安全威胁被确定时立即修复它。 -Unlike in windows where you are not in full control of the releases and fixes, Linux does give you that flexibility to get fixes as and when you require them. This is preferred by developers and security personnel in that they are able to immediately apply a fix when a security threat is identified, unlike in Windows where you can only hope they release the fixes soon. +不像Windows那样每次发布和修复都不能完全掌控,当你需要修复的时候,Linux 真正给了你灵活性去获取修复。这一点受到开发者和安全人员的喜爱,因为他们能在一个安全威胁被确定时立即自行打补丁,不像 Windows ,你只能期望官方尽快发布补丁。 -### Joining the Crowd +### 跟随大众 -目前, 运行在 Linux 平台上的服务器在数量上远超过 Windows,几乎是全世界服务器数量的四分之三,而且这种趋势在最近一段时间内不会改变。因此,许多组织正在将他们的服务完全迁移到 Linux 上,而不是同时使用两种平台,那将会增加他们的运营成本。 -The Linux platform far outnumbers Windows in the number of servers that are running on it, nearly a quarter of all servers in the world, and the trend is not about to change anytime soon. Many organizations, therefore, do migrate so as to be fully on Linux rather than running two platforms concurrently, which adds up to their operating costs. +目前, 运行在 Linux 平台上的服务器在数量上远超过 Windows,几乎是全世界服务器数量的四分之三,而且这种趋势在最近一段时间内不会改变。因此,许多组织正在将他们的服务完全迁移到 Linux 上,而不是同时使用两种平台,同时使用将会增加他们的运营成本。 -### Microsoft isn’t Open Sourcing SQL Server’s Code +### 微软没有开放 SQL Server 的源代码 微软宣称他们下一个名为 Denali 的新版 MSSQL Server 将会是一个 Linux 版本,并且不会开放其源代码,这意味着他们的协议依旧有效,但是新版本将能在Linux上运行。这一点将许多乐于接受开源新版的人拒之门外。 -In as much as Microsoft have announced that their next release of MSSQL server (named Denali) will be a Linux version, that will still not open their source code, meaning that their licenses will still apply, but the release will be run on Linux. This still locks out the many users who would happily take to the release if it was open source. +这仍然没有给那些使用闭源的 Oracle 用户另一个选择,使用完全开源的 [MySQL 用户][7]也是如此。 -这仍然没有给那些使用闭源的 Oracle 用户另一个选择,使用完全开源的 MySQL 用于也是如此。 -This still does not give an alternative to those users who are using Oracle, which is not open source; neither does it to those [using MySQL][7], which is fully open source. - -### Saving on License Costs +### 节约许可证的花费 许可证的潜在成本让许多用户很失望。在 Windows 平台上运行 MSSQL 服务器有太多的许可证牵涉其中。你需要这些许可: -The cost implication of licenses is a huge letdown for many users. Running a MSSQL server on Windows platform has too many licenses involved. You need licenses for: -*   The windows operating system Windows 操作系统 -*   The MSSQL server MSSQL服务器 -*   Specific database tools e.g. SQL analytics tools, etc.特定的数据库工具例如 SQL 分析工具等 +*   Windows 操作系统 +*   MSSQL 服务器 +*   特定的数据库工具,例如 SQL 分析工具等 -不像在 Windows 平台上, Linux 完全没有高昂的授权花费,,因此更能吸引用户。 MySQL 数据库也能免费获取,即使他能灵活地当作是一个 MSSQL 服务器。不像那些给 MSSQL 设计的收费程序,大部分的 MySQL 数据库实用程序是免费的。 -Unlike in Windows platform, Linux eliminates the issues of high licenses costs, and thus more appealing to users. MySQL database is also a free source even though it offers the flexibility just as MSSQL server, thus it is more preferred. Most of the database utility tools for MySQL are mostly free, unlike for MSSQL. +不像 Windows 平台,Linux 完全没有高昂的授权花费,因此更能吸引用户。 MySQL 数据库也能免费获取,即使它能灵活地当作是一个 MSSQL 服务器。不像那些给 MSSQL 设计的收费程序,大部分的 MySQL 数据库实用程序是免费的。 -### Sometimes, the Specific Hardware being Used +### 有时候被使用的特定硬件 -因为 Linux 先进和总是被不同的开发者所选择,所以它独立于所运行的硬件之上并能被广泛使用在不同的硬件平台。然而微软正在努力让 Windows 和 MSSQL 服务器拥有硬件独立性,在平台的独立性上依旧有些限制。 -Because Linux is developed and always being enhanced by various developers, it is independent of the hardware it operates on and thus widely used on different hardware platforms. However, as much as Microsoft has tried to ensure that Windows and MSSQL server are hardware independent; there are still some limitations in platform independence. +因为 Linux 先进和总是被不同的开发者所选择,所以它独立于所运行的硬件之上并能被广泛应用在不同的硬件平台。然而微软正在努力让 Windows 和 MSSQL 服务器拥有硬件独立性,在平台的独立性上依旧有些限制。 -### Support -有了 Linux 、 MySQL 和其他的开源软件,获取满足自己特定需求的帮助变得更加简单,因为有不同开发者参与到这些软件的开发过程中。这些开发者或许就在你附近,这样更容易获取帮助。在线论坛也能帮上不少,你能发帖并讨论你所面对的问题 -With Linux and MySQL, as well as with other open source software, it is easier to get support on the specific need that you have, because there are various developers involved in their development. These developers maybe within your locality, thus are easily reached. Also, online forums are of great help whereby you are able to post and discuss the issues you face. +### 支持 +有了 Linux 、 MySQL 和其他的开源软件,获取满足自己特定需求的帮助变得更加简单,因为有不同开发者参与到这些软件的开发过程中。这些开发者或许就在你附近,这样更容易获取帮助。在线论坛也能帮上不少,你能发帖并讨论你所面对的问题。 至于那些商业软件,你只能根据他们的软件协议和时间来获得帮助,有时候他们不能在你的时间范围内给出一个解决方案。 -For commercial software, you get support based on their software agreement with you and their timing, and at times may not give you a solution within the timelines that you have. -在不同的情况中,迁移到 Linux 都是你最好的选择,加入一个彻底、稳定可依赖的平台来获取优异表现。总所周知,这比 Windows 要多花费一点精力。这值得一试。 -In every case, migrating to Linux gives you the best option and outcome that you can have, by joining a radical, stable and reliable platform, which is known to be more robust than Windows. It is worth a shot. +在不同的情况中,迁移到 Linux 都是你最好的选择,加入一个彻底、稳定可靠的平台来获取优异表现。总所周知,这比 Windows 要多花费一点精力。这值得一试。 -------------------------------------------------------------------------------- From 9ff767463d24e33d59bb1c16f858cbffecfdf479 Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Wed, 28 Dec 2016 21:22:15 +0800 Subject: [PATCH 045/181] Delete 20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md --- ...- Move from SQL Server to MySQL as well.md | 75 ------------------- 1 file changed, 75 deletions(-) delete mode 100644 sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md diff --git a/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md b/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md deleted file mode 100644 index 33619ee143..0000000000 --- a/sources/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md +++ /dev/null @@ -1,75 +0,0 @@ -翻译中 by ypingcn - -把 SQL Server 迁移到Linux?也把 SQL Server 换成 MySQL 吧! -============================================================ - -### 在这篇文章里将会讲 - -1.  [控制平台][1] -2.  [跟随大众][2] -3.  [微软没有开放 SQL Server 的源代码][3] -4.  [节约许可证的花费][4] -5.  [有时候被使用的特定硬件][5] -6.  [支持][6] - -最近几年,数量庞大的个人和组织放弃 Windows 平台选择 Linux 平台,而且随着人们体验到更多 Linux 的发展,这个数字将会继续增长。在很长的一段时间内, Linux是网络服务器的领导者,因为大部分的网络服务器都运行在 Linux 之上,这或许是一个为什么那么多个人和组织选择迁移的原因。 - -迁移的原因有很多,更强的平台稳定性、可靠性、花费、所有权和安全性。更多的个人和组织迁移到 Linux 平台,MS SQL 服务器数据库管理系统的迁移也有着同样的趋势,首选的是 MySQL ,因为 MySQL 的互用性、平台独立和低的购置成本。 - -有多少个人和组织完成了迁移,就应该满足多少商业需求,迁移,不能只是为了乐趣。这样的话,一个综合可行性和成本效益分析是有必要执行的,分析能了解迁移对于你业务上的正面和负面影响。 - -迁移需要基于以下重要因素: - -### 控制平台 - -不像Windows那样每次发布和修复都不能完全掌控,当你需要修复的时候,Linux 真正给了你灵活性去获取修复。这一点受到开发者和安全人员的喜爱,因为他们能在一个安全威胁被确定时立即自行打补丁,不像 Windows ,你只能期望官方尽快发布补丁。 - -### 跟随大众 - -目前, 运行在 Linux 平台上的服务器在数量上远超过 Windows,几乎是全世界服务器数量的四分之三,而且这种趋势在最近一段时间内不会改变。因此,许多组织正在将他们的服务完全迁移到 Linux 上,而不是同时使用两种平台,同时使用将会增加他们的运营成本。 - -### 微软没有开放 SQL Server 的源代码 - -微软宣称他们下一个名为 Denali 的新版 MSSQL Server 将会是一个 Linux 版本,并且不会开放其源代码,这意味着他们的协议依旧有效,但是新版本将能在Linux上运行。这一点将许多乐于接受开源新版的人拒之门外。 - -这仍然没有给那些使用闭源的 Oracle 用户另一个选择,使用完全开源的 [MySQL 用户][7]也是如此。 - -### 节约许可证的花费 - -许可证的潜在成本让许多用户很失望。在 Windows 平台上运行 MSSQL 服务器有太多的许可证牵涉其中。你需要这些许可: - -*   Windows 操作系统 -*   MSSQL 服务器 -*   特定的数据库工具,例如 SQL 分析工具等 - -不像 Windows 平台,Linux 完全没有高昂的授权花费,因此更能吸引用户。 MySQL 数据库也能免费获取,即使它能灵活地当作是一个 MSSQL 服务器。不像那些给 MSSQL 设计的收费程序,大部分的 MySQL 数据库实用程序是免费的。 - -### 有时候被使用的特定硬件 - -因为 Linux 先进和总是被不同的开发者所选择,所以它独立于所运行的硬件之上并能被广泛应用在不同的硬件平台。然而微软正在努力让 Windows 和 MSSQL 服务器拥有硬件独立性,在平台的独立性上依旧有些限制。 - -### 支持 -有了 Linux 、 MySQL 和其他的开源软件,获取满足自己特定需求的帮助变得更加简单,因为有不同开发者参与到这些软件的开发过程中。这些开发者或许就在你附近,这样更容易获取帮助。在线论坛也能帮上不少,你能发帖并讨论你所面对的问题。 - -至于那些商业软件,你只能根据他们的软件协议和时间来获得帮助,有时候他们不能在你的时间范围内给出一个解决方案。 - -在不同的情况中,迁移到 Linux 都是你最好的选择,加入一个彻底、稳定可靠的平台来获取优异表现。总所周知,这比 Windows 要多花费一点精力。这值得一试。 - --------------------------------------------------------------------------------- - -via: https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/ - -作者:[Tony Branson ][a] -译者:[ypingcn](https://github.com/ypingcn) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://twitter.com/howtoforgecom -[1]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#to-have-control-over-the-platform -[2]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#joining-the-crowd -[3]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#microsoft-isnrsquot-open-sourcing-sql-serverrsquos-code -[4]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#saving-on-license-costs -[5]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#sometimes-the-specific-hardware-being-used -[6]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#support -[7]:http://www.scalearc.com/how-it-works/products/scalearc-for-mysql From 7c2622cb214fec310c053e2b96567d0f50f237e1 Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Wed, 28 Dec 2016 21:22:56 +0800 Subject: [PATCH 046/181] translated by ypingcn translated --- ...- Move from SQL Server to MySQL as well.md | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 translated/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md diff --git a/translated/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md b/translated/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md new file mode 100644 index 0000000000..891ae6cf92 --- /dev/null +++ b/translated/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md @@ -0,0 +1,73 @@ +把 SQL Server 迁移到Linux?也把 SQL Server 换成 MySQL 吧! +============================================================ + +### 在这篇文章里将会讲 + +1.  [控制平台][1] +2.  [跟随大众][2] +3.  [微软没有开放 SQL Server 的源代码][3] +4.  [节约许可证的花费][4] +5.  [有时候被使用的特定硬件][5] +6.  [支持][6] + +最近几年,数量庞大的个人和组织放弃 Windows 平台选择 Linux 平台,而且随着人们体验到更多 Linux 的发展,这个数字将会继续增长。在很长的一段时间内, Linux是网络服务器的领导者,因为大部分的网络服务器都运行在 Linux 之上,这或许是一个为什么那么多个人和组织选择迁移的原因。 + +迁移的原因有很多,更强的平台稳定性、可靠性、花费、所有权和安全性。更多的个人和组织迁移到 Linux 平台,MS SQL 服务器数据库管理系统的迁移也有着同样的趋势,首选的是 MySQL ,因为 MySQL 的互用性、平台独立和低的购置成本。 + +有多少个人和组织完成了迁移,就应该满足多少商业需求,迁移,不能只是为了乐趣。这样的话,一个综合可行性和成本效益分析是有必要执行的,分析能了解迁移对于你业务上的正面和负面影响。 + +迁移需要基于以下重要因素: + +### 控制平台 + +不像Windows那样每次发布和修复都不能完全掌控,当你需要修复的时候,Linux 真正给了你灵活性去获取修复。这一点受到开发者和安全人员的喜爱,因为他们能在一个安全威胁被确定时立即自行打补丁,不像 Windows ,你只能期望官方尽快发布补丁。 + +### 跟随大众 + +目前, 运行在 Linux 平台上的服务器在数量上远超过 Windows,几乎是全世界服务器数量的四分之三,而且这种趋势在最近一段时间内不会改变。因此,许多组织正在将他们的服务完全迁移到 Linux 上,而不是同时使用两种平台,同时使用将会增加他们的运营成本。 + +### 微软没有开放 SQL Server 的源代码 + +微软宣称他们下一个名为 Denali 的新版 MSSQL Server 将会是一个 Linux 版本,并且不会开放其源代码,这意味着他们的协议依旧有效,但是新版本将能在Linux上运行。这一点将许多乐于接受开源新版的人拒之门外。 + +这仍然没有给那些使用闭源的 Oracle 用户另一个选择,使用完全开源的 [MySQL 用户][7]也是如此。 + +### 节约许可证的花费 + +许可证的潜在成本让许多用户很失望。在 Windows 平台上运行 MSSQL 服务器有太多的许可证牵涉其中。你需要这些许可: + +*   Windows 操作系统 +*   MSSQL 服务器 +*   特定的数据库工具,例如 SQL 分析工具等 + +不像 Windows 平台,Linux 完全没有高昂的授权花费,因此更能吸引用户。 MySQL 数据库也能免费获取,即使它能灵活地当作是一个 MSSQL 服务器。不像那些给 MSSQL 设计的收费程序,大部分的 MySQL 数据库实用程序是免费的。 + +### 有时候被使用的特定硬件 + +因为 Linux 先进和总是被不同的开发者所选择,所以它独立于所运行的硬件之上并能被广泛使用在不同的硬件平台。然而微软正在努力让 Windows 和 MSSQL 服务器拥有硬件独立性,在平台的独立性上依旧有些限制。 + +### 支持 +有了 Linux 、 MySQL 和其他的开源软件,获取满足自己特定需求的帮助变得更加简单,因为有不同开发者参与到这些软件的开发过程中。这些开发者或许就在你附近,这样更容易获取帮助。在线论坛也能帮上不少,你能发帖并讨论你所面对的问题。 + +至于那些商业软件,你只能根据他们的软件协议和时间来获得帮助,有时候他们不能在你的时间范围内给出一个解决方案。 + +在不同的情况中,迁移到 Linux 都是你最好的选择,加入一个彻底、稳定可靠的平台来获取优异表现。总所周知,这比 Windows 要多花费一点精力。这值得一试。 + +-------------------------------------------------------------------------------- + +via: https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/ + +作者:[Tony Branson ][a] +译者:[ypingcn](https://github.com/ypingcn) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://twitter.com/howtoforgecom +[1]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#to-have-control-over-the-platform +[2]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#joining-the-crowd +[3]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#microsoft-isnrsquot-open-sourcing-sql-serverrsquos-code +[4]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#saving-on-license-costs +[5]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#sometimes-the-specific-hardware-being-used +[6]:https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/#support +[7]:http://www.scalearc.com/how-it-works/products/scalearc-for-mysql From 0b8c7eb37c5cc6c0347c2fdd2a776f305cd58495 Mon Sep 17 00:00:00 2001 From: Flynn Date: Wed, 28 Dec 2016 23:32:22 +0800 Subject: [PATCH 047/181] translated --- ...923 PyCharm - The Best Linux Python IDE.md | 149 ++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 translated/tech/20160923 PyCharm - The Best Linux Python IDE.md diff --git a/translated/tech/20160923 PyCharm - The Best Linux Python IDE.md b/translated/tech/20160923 PyCharm - The Best Linux Python IDE.md new file mode 100644 index 0000000000..7c7aaa5418 --- /dev/null +++ b/translated/tech/20160923 PyCharm - The Best Linux Python IDE.md @@ -0,0 +1,149 @@ +PyCharm - Linux 下最好的 Python IDE(集成开发环境) +========= +![](https://fthmb.tqn.com/AVEbzYN3BPH_8cGYkPflIx58-XE=/768x0/filters:no_upscale()/about/pycharm2-57e2d5ee5f9b586c352c7493.png) + +### 介绍 + +在这篇指南中,我将向你介绍一个集成开发环境 - PyCharm, 你可以在它上面使用 Python 编程语言开发专业应用。 + +Python 是一门优秀的编程语言,因为它真正实现了跨平台,用它开发的应用程序在 Windows、Linux 以及 Mac 系统上均可运行,无需重新编译任何代码。 + +PyCharm 是由 [Jetbrains][3] 开发的一个编辑器和调试器,[Jetbrains][3] 就是那个开发了 Resharper 的人。不得不说,Resharper 是一个很优秀的工具,它被 Windows 开发者们用来重构代码,同时,它也使得 Windows 开发者们写 .NET 代码更加轻松。[Resharper][2] 的许多原则也被加入到了 [PyCharm][3] 专业版中。 + +### 如何安装 PyCharm + +我已经写了一篇关于如何获取 PyCharm 的指南,下载,解压文件,然后运行。 + +[点击链接][4]. + +### 欢迎界面 + +当你第一次运行 PyCharm 或者关闭一个项目的时候,会出现一个屏幕,上面显示一系列近期项目。 + +你也会看到下面这些菜单选项: + +* 创建新项目 +* 打开项目 +* 版本控制检查 + +还有一个配置设置选项,你可以通过它设置默认 Python 版本或者一些其他设置。 + +### 创建一个新项目 + +当你选择‘创建一个新项目’以后,它会提供下面这一系列可能的项目类型供你选择: + +* Pure Python +* Django +* Flask +* Google App Engine +* Pyramid +* Web2Py +* Angular CLI +* AngularJS +* Foundation +* HTML5 Bolierplate +* React Starter Kit +* Twitter Bootstrap +* Web Starter Kit + +这不是一个编程教程,所以我没必要说明这些项目类型是什么。如果你想创建一个可以运行在 Windows、Linux 和 Mac 上的简单桌面运行程序,那么你可以选择 Pure Python 项目,然后使用 QT 库来开发图形应用程序,这样的图形应用程序无论在任何操作系统上运行,看起来都像是原生的,就像是在该系统上开发的一样。 + +选择了项目类型以后,你需要输入一个项目名字并且选择一个 Python 版本来进行开发。 + +### 打开一个项目 + +你可以通过单击‘最近打开的项目’列表中的项目名称来打开一个项目,或者,你也可以单击‘打开’,然后浏览到你想打开的项目所在的文件夹,找到该项目,然后选择‘确定’。 + +### 从源码控制进行查看 + +PyCharm 提供了从各种在线资源查看项目源码的选项,在线资源包括 [GitHub][5]、[CVS][6]、Git、[Mercurial][7] 以及 [Subversion][8]。 + +### PyCharm IDE(集成开发环境) + +PyCharm IDE 可以通过顶部的一个菜单打开,在这个菜单下面你可以为每个打开的项目‘贴上’标签。 + +屏幕右方是调试选项区,可以单步运行代码。 + +左面板有一系列项目文件和外部库。 + +如果想在项目中新建一个文件,你可以‘右击’项目名字,然后选择‘新建’。然后你可以在下面这些文件类型中选择一种添加到项目中: + +* 文件 +* 目录 +* Python 包 +* Python 包 +* Jupyter 笔记 +* HTML 文件 +* Stylesheet +* JavaScript +* TypeScript +* CoffeeScript +* Gherkin +* 数据源 + +当添加了一个文件,比如 Python 文件以后,你可以在右边面板的编辑器中进行编辑。 + +文本是全彩色编码的,并且有黑体文本。垂直线显示缩进,从而能够确保缩进正确。 + +编辑器具有智能补全功能,这意味着当你输入库名字或可识别命令的时候,你可以按 'Tab' 键补全命令。 + +### 调试程序 + +你可以利用屏幕右上角的’调试选项’调试程序的任何一个地方。 + +如果你是在开发一个图形应用程序,你可以点击‘绿色按钮’来运行程序,你也可以通过 'shift+F10' 快捷键来运行程序。 + +为了调试应用程序,你可以点击紧挨着‘绿色按钮’的‘绿色箭头’或者按 ‘shift+F9’ 快捷键。你可以点击一行代码的灰色边缘,从而设置断点,这样当程序运行到这行代码的时候就会停下来。 + +你可以按 'F8' 单步向前运行代码,这意味着你只是运行代码但无法进入函数内部,如果要进入函数内部,你可以按 'F7'。如果你想从一个函数中返回到调用函数,你可以按 'shift+F8'。 + +调试过程中,你会在屏幕底部看到许多窗口,比如进程和线程列表,以及你正在监视的变量。 + +当你运行到一行代码的时候,你可以对这行代码中出现的变量进行监视,这样当变量值改变的时候你能够看到。 + +另一个不错的选择是运行检查器覆盖的代码。在过去这些年里,编程界发生了很大的变化,现在,对于开发人员来说,进行测试驱动开发是很常见的,这样他们可以检查对程序所做的每一个改变,确保不会破坏系统的另一部分。 + +检查器能够很好的帮助你运行程序,执行一些测试,运行结束以后,它会以百分比的形式告诉你测试运行所覆盖的代码有多少。 + +还有一个工具可以显示‘类函数’或‘类’的名字,以及一个项目被调用的次数和在一个特定代码片段运行所花费的时间。 + + +### 代码重构 + +PyCharm 一个很强大的特性是代码重构选项。 + +当你开始写代码的时候,会在右边缘出现一个小标记。如果你写的代码可能出错或者写的不太好, PyCharm 会标记上一个彩色标记。 + +点击彩色标记将会告诉你出现的问题并提供一个解决方法。 + +比如,你通过一个导入语句导入了一个库,但没有使用该库中的任何东西,那么不仅这行代码会变成灰色,彩色标记还会告诉你‘该库未使用’。 + +对于正确的代码,也可能会出现错误提示,比如在导入语句和函数起始之间只有一个空行。当你创建了一个名称非小写的函数时它也会提示你。 + +你不必遵循 PyCharm 的所有规则。这些规则大部分只是好的编码准则,与你的代码是否能够正确运行无关。 + +代码菜单还有其他重构选项。比如,你可以进行代码清理以及检查文件或项目问题。 + +### 总结 + +PyCharm 是 Linux 系统上开发 Python 代码的一个优秀编辑器,并且有两个可用版本。社区版可供临时开发者使用,专业版则提供了开发者开发专业软件可能需要的所有工具。 + +-------------------------------------------------------------------------------- + +via: https://www.lifewire.com/how-to-install-the-pycharm-python-ide-in-linux-4091033 + +作者:[Gary Newell ][a] +译者:[ucasFL](https://github.com/ucasFL) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.lifewire.com/gary-newell-2180098 +[1]:https://www.jetbrains.com/ +[2]:https://www.jetbrains.com/resharper/ +[3]:https://www.jetbrains.com/pycharm/specials/pycharm/pycharm.html?&gclid=CjwKEAjw34i_BRDH9fbylbDJw1gSJAAvIFqU238G56Bd2sKU9EljVHs1bKKJ8f3nV--Q9knXaifD8xoCRyjw_wcB&gclsrc=aw.ds.ds&dclid=CNOy3qGQoc8CFUJ62wodEywCDg +[4]:https://www.lifewire.com/how-to-install-the-pycharm-python-ide-in-linux-4091033 +[5]:https://github.com/ +[6]:http://www.linuxhowtos.org/System/cvs_tutorial.htm +[7]:https://www.mercurial-scm.org/ +[8]:https://subversion.apache.org/ From 14106dc5dbbc3aec78ff9e420c3e2cf0197053a3 Mon Sep 17 00:00:00 2001 From: Lv Feng Date: Wed, 28 Dec 2016 23:39:41 +0800 Subject: [PATCH 048/181] Delete 20160923 PyCharm - The Best Linux Python IDE.md --- ...923 PyCharm - The Best Linux Python IDE.md | 149 ------------------ 1 file changed, 149 deletions(-) delete mode 100644 sources/tech/20160923 PyCharm - The Best Linux Python IDE.md diff --git a/sources/tech/20160923 PyCharm - The Best Linux Python IDE.md b/sources/tech/20160923 PyCharm - The Best Linux Python IDE.md deleted file mode 100644 index 602ba776d0..0000000000 --- a/sources/tech/20160923 PyCharm - The Best Linux Python IDE.md +++ /dev/null @@ -1,149 +0,0 @@ -ucasFL translating -PyCharm - The Best Linux Python IDE -========= -![](https://fthmb.tqn.com/AVEbzYN3BPH_8cGYkPflIx58-XE=/768x0/filters:no_upscale()/about/pycharm2-57e2d5ee5f9b586c352c7493.png) - -### Introduction - -In this guide I will introduce you to the PyCharm integrated development environment which can be used to develop professional applications using the Python programming language. - -Python is a great programming language because it is truly cross platform and can be used to develop a single application which will run on Windows, Linux and Mac computers without having to recompile any code. - -PyCharm is an editor and debugger developed by [Jetbrains][1] who are the same people who developed Resharper which is a great tool used by Windows developers for refactoring code and to make their lives easier when writing .NET code. Many of the principles of [Resharper][2] have been added to the professional version of [PyCharm][3]. - -### How To Install PyCharm - -I have written a guide showing how to get PyCharm, download it, extract the files and run it. - -[Simply click this link][4]. - -### The Welcome Screen - -When you first run PyCharm or when you close a project you will be presented with a screen showing a list of recent projects. - -You will also see the following menu options: - -* Create New Project -* Open A Project -* Checkout From Version Control - -There is also a configure settings option which lets you set up the default Python version and other such settings. - -### Creating A New Project - -When you choose to create a new project you are provided with a list of possible project types as follows: - -* Pure Python -* Django -* Flask -* Google App Engine -* Pyramid -* Web2Py -* Angular CLI -* AngularJS -* Foundation -* HTML5 Bolierplate -* React Starter Kit -* Twitter Bootstrap -* Web Starter Kit - -This isn't a programming tutorial so I won't be listing what all of those project types are. If you want to create a base desktop application which will run on Windows, Linux and Mac then you can choose a Pure Python project and use QT libraries to develop graphical applications which look native to the operating system they are running on regardless as to where they were developed. - -As well as choosing the project type you can also enter the name for your project and also choose the version of Python to develop against. - -### Open A Project - -You can open a project by clicking on the name within the recently opened projects list or you can click the open button and navigate to the folder where the project you wish to open is located. - -### Checking Out From Source Control - -PyCharm provides the option to check out project code from various online resources including [GitHub][5], [CVS][6], Git, [Mercurial][7] and [Subversion][8]. - -### The PyCharm IDE - -The PyCharm IDE starts with a menu at the top and underneath this you have tabs for each open project. - -On the right side of the screen are debugging options for stepping through code. - -The left pane has a list of project files and external libraries. - -To add a file you right-click on the project name and choose "new". You then get the option to add one of the following file types: - -* File -* Directory -* Python Package -* Python File -* Jupyter Notebook -* HTML File -* Stylesheet -* JavaScript -* TypeScript -* CoffeeScript -* Gherkin -* Data Source - -When you add a file, such as a python file you can start typing into the editor in the right panel. - -The text is all colour coded and has bold text . A vertical line shows the indentation so you can be sure that you are tabbing correctly. - -The editor also includes full intellisense which means as you start typing the names of libraries or recognised commands you can complete the commands by pressing tab. - -### Debugging The Application - -You can debug your application at any point by using the debugging options in the top right corner. - -If you are developing a graphical application then you can simply press the green button to run the application. You can also press shift and F10. - -To debug the application you can either click the button next to the green arrow or press shift and F9.You can place breakpoints in the code so that the program stops on a given line by clicking in the grey margin on the line you wish to break at. - -To make a single step forward you can press F8 which steps over the code. This means it will run the code but it won't step into a function. To step into the function you would press F7\. If you are in a function and want to step out to the calling function press shift and F8. - -At the bottom of the screen whilst you are debugging you will see various windows such as a list of processes and threads, and variables that you are watching the values for.  - -As you are stepping through code you can add a watch on a variable so that you can see when the value changes.  - -Another great option is to run the code with coverage checker. The programming world has changed a lot during the years and now it is common for developers to perform test-driven development so that every change they make they can check to make sure they haven't broken another part of the system.  - -The coverage checker actually helps you to run the program, perform some tests and then when you have finished it will tell you how much of the code was covered as a percentage during your test run. - -There is also a tool for showing the name of a method or class, how many times the items were called, and how long was spent in that particular piece of code. - -### Code Refactoring - -A really powerful feature of PyCharm is the code refactoring option. - -When you start to develop code little marks will appear in the right margin. If you type something which is likely to cause an error or just isn't written well then PyCharm will place a coloured marker. - -Clicking on the coloured marker will tell you the issue and will offer a solution. - -For example, if you have an import statement which imports a library and then don't use anything from that library not only will the code turn grey the marker will state that the library is unused. - -Other errors that will appear are for good coding such as only having one blank line between an import statement and the start of a function. You will also be told when you have created a function that isn't in lowercase. - -You don't have to abide by all of the PyCharm rules. Many of them are just good coding guidelines and are nothing to do with whether the code will run or not. - -The code menu has other refactoring options. For example,​ you can perform code cleanup and you can inspect a file or project for issues. - -### Summary - -PyCharm is a great editor for developing Python code in Linux and there are two versions available. The community version is for the casual developer whereas the professional environment provides all the tools a developer could need for creating professional software. - --------------------------------------------------------------------------------- - -via: https://www.lifewire.com/how-to-install-the-pycharm-python-ide-in-linux-4091033 - -作者:[Gary Newell ][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.lifewire.com/gary-newell-2180098 -[1]:https://www.jetbrains.com/ -[2]:https://www.jetbrains.com/resharper/ -[3]:https://www.jetbrains.com/pycharm/specials/pycharm/pycharm.html?&gclid=CjwKEAjw34i_BRDH9fbylbDJw1gSJAAvIFqU238G56Bd2sKU9EljVHs1bKKJ8f3nV--Q9knXaifD8xoCRyjw_wcB&gclsrc=aw.ds.ds&dclid=CNOy3qGQoc8CFUJ62wodEywCDg -[4]:https://www.lifewire.com/how-to-install-the-pycharm-python-ide-in-linux-4091033 -[5]:https://github.com/ -[6]:http://www.linuxhowtos.org/System/cvs_tutorial.htm -[7]:https://www.mercurial-scm.org/ -[8]:https://subversion.apache.org/ From f72dd60f51b9220ed957d831fc615b5a6ceff8d9 Mon Sep 17 00:00:00 2001 From: wxy Date: Wed, 28 Dec 2016 23:51:49 +0800 Subject: [PATCH 049/181] PROOF:Part 4 - LXD 2.0--Resource control @geekpi --- .../LXD/Part 4 - LXD 2.0--Resource control.md | 137 +++++++++--------- 1 file changed, 70 insertions(+), 67 deletions(-) diff --git a/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md b/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md index dbfca7968d..335225e891 100644 --- a/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md +++ b/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md @@ -3,99 +3,103 @@ LXD 2.0 系列(四):资源控制 这是 [LXD 2.0 系列介绍文章][0]的第四篇。 -因为lxd容器管理有很多命令,因此这篇文章会很长。 如果你想要快速地浏览这些相同的命令,你可以[尝试下我们的在线演示][1]! +因为 LXD 容器管理有很多命令,因此这篇文章会很长。 如果你想要快速地浏览这些相同的命令,你可以[尝试下我们的在线演示][1]! ![](https://linuxcontainers.org/static/img/containers.png) ### 可用资源限制 -LXD提供了不同的资源限制。其中一些绑定到容器本身,如内存配额,CPU限制和I/O优先级。一些与特定设备绑定,如I/O带宽或磁盘使用限制。 +LXD 提供了各种资源限制。其中一些与容器本身相关,如内存配额、CPU 限制和 I/O 优先级。而另外一些则与特定设备相关,如 I/O 带宽或磁盘用量限制。 -与所有LXD配置一样,资源限制可以在容器运行时动态更改。某些可能无法启用,例如,如果设置的内存值小于当前内存使用,但LXD将会重试并且报告失败。 +与所有 LXD 配置一样,资源限制可以在容器运行时动态更改。某些可能无法启用,例如,如果设置的内存值小于当前内存用量,但 LXD 将会试着设置并且报告失败。 -所有限制也可以通过配置文件继承,在这种情况下每个受影响的容器将受到该限制的约束。也就是说,如果在默认配置文件中设置limits.memory=256MB,则使用默认配置文件(通常是所有配置文件)的每个容器的内存限制为256MB。 +所有的限制也可以通过配置文件继承,在这种情况下每个受影响的容器将受到该限制的约束。也就是说,如果在默认配置文件中设置 `limits.memory=256MB`,则使用默认配置文件(通常是全都使用)的每个容器的内存限制为 256MB。 -我们不支持资源限制池,其中的限制将由一组容器共享,因为我们没有什么好的方法由现有的内核API实现这些功能。 +我们不支持资源限制池,将其中的限制由一组容器共享,因为我们没有什么好的方法通过现有的内核 API 实现这些功能。 #### 磁盘 -这或许是最需要和最明显的需求。 只需设置容器文件系统的大小限制,并对容器强制执行。 +这或许是最需要和最明显的需求。只需设置容器文件系统的大小限制,并对容器强制执行。 -这就是LXD让你做的! -不幸的是,这比它听起来复杂得多。 Linux没有基于路径的配额,而大多数文件系统只有基于用户和组的配额,这对容器没有什么用处。 +LXD 确实可以让你这样做! -如果你正在使用ZFS或btrfs存储后端,这意味着现在LXD只能支持磁盘限制。也有可能为LVM实现此功能,但这取决于与它一起使用的文件系统,并且如果结合实时更新那会变得棘手起来,因为并不是所有的文件系统都允许在线增长,几乎没有一个允许在线收缩。 +不幸的是,这比它听起来复杂得多。 Linux 没有基于路径的配额,而大多数文件系统只有基于用户和组的配额,这对容器没有什么用处。 + +如果你正在使用 ZFS 或 btrfs 存储后端,这意味着现在 LXD 只能支持磁盘限制。也有可能为 LVM 实现此功能,但这取决于与它一起使用的文件系统,并且如果结合实时更新那会变得棘手起来,因为并不是所有的文件系统都允许在线增长,而几乎没有一个允许在线收缩。 #### CPU -当涉及到CPU的限制,我们支持4种不同的东西: +当涉及到 CPU 的限制,我们支持 4 种不同的东西: -*只给我X个CPU核心 +* 只给我 X 个 CPU 核心 -  在这种模式下,你让LXD为你选择一组核心,然后为更多的容器和CPU的上线/下线提供负载均衡。 -   -  容器只看到这个数量的CPU核心。 -*给我一组特定的CPU核心(例如,核心1,3和5) + 在这种模式下,你让 LXD 为你选择一组核心,然后为更多的容器和 CPU 的上线/下线提供负载均衡。 + + 容器只看到这个数量的 CPU 核心。 -  类似于第一种模式,除了没有发生负载均衡,你会被限制在那些核心,无论它们有多忙。 -*给我你拥有的20% +* 给我一组特定的 CPU 核心(例如,核心1、3 和 5) -  在这种模式下,你可以看到所有的CPU,但调度程序将限制你使用20%的CPU时间,但这只有在负载状态才会这样!所以如果系统不忙,你的容器可以跑得很欢。当其他的容器也开始使用CPU时,它会被限制。 -*每测量200ms,给我50ms(并且不超过) + 类似于第一种模式,但是不会做负载均衡,你会被限制在那些核心上,无论它们有多忙。 -  此模式与上一个模式类似,你可以看到所有的CPU,但这一次,无论系统可能是多么空闲,你只能使用你设置的极限时间下的尽可能多的CPU时间。在没有过量使用的系统上,这可使你可以非常整齐地分割CPU,并确保这些容器的持续性能。 +* 给我你拥有的 20% 处理能力 -另外还可以将前两个中的一个与最后两个之一相结合,即请求一组CPU,然后进一步限制这些CPU的CPU时间。 + 在这种模式下,你可以看到所有的 CPU,但调度程序将限制你使用 20% 的 CPU 时间,但这只有在负载状态才会这样!所以如果系统不忙,你的容器可以跑得很欢。而当其他的容器也开始使用 CPU 时,它会被限制用量。 + +* 每测量 200ms,给我 50ms(并且不超过) + + 此模式与上一个模式类似,你可以看到所有的 CPU,但这一次,无论系统可能是多么空闲,你只能使用你设置的极限时间下的尽可能多的 CPU 时间。在没有过量使用的系统上,这可使你可以非常整齐地分割 CPU,并确保这些容器的持续性能。 + +另外还可以将前两个中的一个与最后两个之一相结合,即请求一组 CPU,然后进一步限制这些 CPU 的 CPU 时间。 除此之外,我们还有一个通用的优先级调节方式,可以告诉调度器当你处于负载状态时,两个争夺资源的容器谁会取得胜利。 #### 内存 -内存听起来很简单,只是给我多少MB的内存! +内存听起来很简单,就是给我多少 MB 的内存! -它绝对可以那么简单。 我们支持这种限制以及基于百分比的请求,比如给我10%的主机内存! +它绝对可以那么简单。 我们支持这种限制以及基于百分比的请求,比如给我 10% 的主机内存! -另外我们在上层支持一些额外的东西。 例如,你可以选择在每个容器上打开或者关闭swap,如果打开,还可以设置优先级,以便你可以选择哪些容器先将内存交换到磁盘! +另外我们在上层支持一些额外的东西。 例如,你可以选择在每个容器上打开或者关闭 swap,如果打开,还可以设置优先级,以便你可以选择哪些容器先将内存交换到磁盘! 内存限制默认是“hard”。 也就是说,当内存耗尽时,内核将会开始杀掉你的那些进程。 -或者,你可以将强制策略设置为“soft”,在这种情况下,只要没有别的进程的情况下,你将被允许使用尽可能多的内存。一旦别的进程想要这块内存,你将无法分配任何内存直到你低于你的限制或者主机内存再次有空余。 +或者,你可以将强制策略设置为“soft”,在这种情况下,只要没有别的进程的情况下,你将被允许使用尽可能多的内存。一旦别的进程想要这块内存,你将无法分配任何内存,直到你低于你的限制或者主机内存再次有空余。 #### 网络 I/O -网络I/O可能是我们最简单的限制,但是相信我,实现真的不简单! +网络 I/O 可能是我们看起来最简单的限制,但是相信我,实现真的不简单! -我们支持两种限制。 第一个是对网络接口的速率限制。 你可以设置入口和出口的限制,或者只是设置“最大”限制然后应用到出口和入口。这个只支持“桥接”和“p2p”类型接口。 +我们支持两种限制。 第一个是对网络接口的速率限制。你可以设置入口和出口的限制,或者只是设置“最大”限制然后应用到出口和入口。这个只支持“桥接”和“p2p”类型接口。 -第二种是全局网络I/O优先级,仅当你的网络接口趋于饱和的时候再使用。 +第二种是全局网络 I/O 优先级,仅当你的网络接口趋于饱和的时候再使用。 #### 块 I/O 我把最古怪的放在最后。对于用户看起来它可能简单,但有一些情况下,它的结果并不会和你的预期一样。 -我们在这里支持的基本上与我在网络I/O中描述的相同。 +我们在这里支持的基本上与我在网络 I/O 中描述的相同。 -你可以直接设置磁盘的读写IO频率和速率,并且有一个全局的块I/O优先级,它会通知I/O调度程序更倾向哪个。 +你可以直接设置磁盘的读写 IO 的频率和速率,并且有一个全局的块 I/O 优先级,它会通知 I/O 调度程序更倾向哪个。 -奇怪的是如何以及在哪里应用这些限制。不幸的是,我们用于实现这些功能的底层使用的是完整的块设备。这意味着我们不能为每个路径设置每个分区的I/O限制。 +古怪的是如何设置以及在哪里应用这些限制。不幸的是,我们用于实现这些功能的底层使用的是完整的块设备。这意味着我们不能为每个路径设置每个分区的 I/O 限制。 -这也意味着当使用可以支持多个块设备的ZFS或btrfs(带或者不带RAID)回到指定的路径,我们并不知道这个路径是哪个块设备提供的。 +这也意味着当使用可以支持多个块设备映射到指定的路径(带或者不带 RAID)的 ZFS 或 btrfs 时,我们并不知道这个路径是哪个块设备提供的。 -这意味着,完全有可能,实际上有可能,容器使用的磁盘可能来自于多个不同的物理磁盘(绑定挂载或直接挂载)。 +这意味着,完全有可能,实际上确实有可能,容器使用的多个磁盘挂载点(绑定挂载或直接挂载)可能来自于同一个物理磁盘。 -这就使限制变得很奇怪。为了使限制生效,LXD具有猜测给定路径对应块设备的逻辑,这其中包括询问ZFS和btrfs工具,甚至可以在发现一个文件系统中的循环挂载的文件时递归地找出它们。 +这就使限制变得很奇怪。为了使限制生效,LXD 具有猜测给定路径所对应块设备的逻辑,这其中包括询问 ZFS 和 btrfs 工具,甚至可以在发现一个文件系统中循环挂载的文件时递归地找出它们。 -这个逻辑虽然不完美,但通常会产生一组应该应用限制的块设备。LXD接着记录并移动到下一个路径。当遍历完所有的路径,它就得到了非常奇怪的部分。它会平均你为相应块设备设置的限制,然后应用这些。 +这个逻辑虽然不完美,但通常会找到一组应该应用限制的块设备。LXD 接着记录并移动到下一个路径。当遍历完所有的路径,然后到了非常奇怪的部分。它会平均你为相应块设备设置的限制,然后应用这些。 -这意味着你将在容器中“平均”地获得正确的速度,但这也意味着你不能对来自同一个物理磁盘的“/fast”和一个“/slow”目录应用不同的速度限制。 LXD允许你设置它,但最后,它会给你这两个值的平均值。 +这意味着你将在容器中“平均”地获得正确的速度,但这也意味着你不能对来自同一个物理磁盘的“/fast”和一个“/slow”目录应用不同的速度限制。 LXD 允许你设置它,但最后,它会给你这两个值的平均值。 ### 它怎么工作? -除了网络限制是通过较旧但是良好的“tc”实现的,上述大多数限制是通过Linux内核的cgroup API来实现的。 +除了网络限制是通过较旧但是良好的“tc”实现的,上述大多数限制是通过 Linux 内核的 cgroup API 来实现的。 -LXD在启动时会检测你在内核中启用了哪些cgroup,并且将只应用内核支持的限制。 如果你缺少一些cgroups,守护进程会输出警告,接着你的init系统将会记录这些。 +LXD 在启动时会检测你在内核中启用了哪些 cgroup,并且将只应用你的内核支持的限制。如果你缺少一些 cgroup,守护进程会输出警告,接着你的 init 系统将会记录这些。 -在Ubuntu 16.04上,默认情况下除了内存交换审计外将会启用所有限制,它需要你通过“swapaccount = 1”这个内核引导参数启用它。 +在 Ubuntu 16.04 上,默认情况下除了内存交换审计外将会启用所有限制,内存交换审计需要你通过`swapaccount = 1`这个内核引导参数来启用。 ### 应用这些限制 @@ -105,7 +109,7 @@ LXD在启动时会检测你在内核中启用了哪些cgroup,并且将只应 lxc config set CONTAINER KEY VALUE ``` -对应配置文件: +或对于配置文件设置: ``` lxc profile set PROFILE KEY VALUE @@ -117,23 +121,23 @@ lxc profile set PROFILE KEY VALUE lxc config device set CONTAINER DEVICE KEY VALUE ``` -对应配置文件 +或对于配置文件设置: ``` lxc profile device set PROFILE DEVICE KEY VALUE ``` -完整有效的配置键、设备类型和设备键可以[看这里][1]。 +有效配置键、设备类型和设备键的完整列表可以[看这里][1]。 #### CPU -要限制使用任意两个cpu核心可以这么做: +要限制使用任意两个 CPU 核心可以这么做: ``` lxc config set my-container limits.cpu 2 ``` -要指定特定的cpu核心,也就是之前说的第二和第四种: +要指定特定的 CPU 核心,比如说第二和第四个: ``` lxc config set my-container limits.cpu 1,3 @@ -145,8 +149,7 @@ lxc config set my-container limits.cpu 1,3 lxc config set my-container limits.cpu 0-3,7-11 ``` -The limits are applied live, as can be seen in this example: -限制实时生效,你可以看下面的例子 +限制实时生效,你可以看下面的例子: ``` stgraber@dakara:~$ lxc exec zerotier -- cat /proc/cpuinfo | grep ^proces @@ -160,9 +163,9 @@ processor : 0 processor : 1 ``` -注意,为了避免完全混淆用户空间,lxcfs会重排/proc/cpuinfo中的条目,以便没有错误。 +注意,为了避免完全混淆用户空间,lxcfs 会重排 `/proc/cpuinfo` 中的条目,以便没有错误。 -就像LXD中的一切,这些设置也可以应用在配置文件中: +就像 LXD 中的一切,这些设置也可以应用在配置文件中: ``` stgraber@dakara:~$ lxc exec snappy -- cat /proc/cpuinfo | grep ^proces @@ -177,19 +180,19 @@ processor : 1 processor : 2 ``` -要限制容器使用10%的cpu时间,要设置下cpu allowance: +要限制容器使用 10% 的 CPU 时间,要设置下 CPU allowance: ``` lxc config set my-container limits.cpu.allowance 10% ``` -或者给他一个固定的cpu切片时间: +或者给它一个固定的 CPU 时间切片: ``` lxc config set my-container limits.cpu.allowance 25ms/200ms ``` -最后,要将容器的cpu优先级调到最低: +最后,要将容器的 CPU 优先级调到最低: ``` lxc config set my-container limits.cpu.priority 0 @@ -203,7 +206,7 @@ lxc config set my-container limits.cpu.priority 0 lxc config set my-container limits.memory 256MB ``` -(支持的后缀后KB、MB、GB、TB、PB、EB) +(支持的后缀是 KB、MB、GB、TB、PB、EB) 要关闭容器的内存交换(默认启用): @@ -223,11 +226,11 @@ lxc config set my-container limits.memory.swap.priority 0 lxc config set my-container limits.memory.enforce soft ``` -#### 磁盘和块I/O +#### 磁盘和块 I/O -不像CPU和内存,磁盘和I/O限制是直接作用在实际的设备上的,因此你需要编辑原始设备或者屏蔽某个具体的设备。 +不像 CPU 和内存,磁盘和 I/O 限制是直接作用在实际的设备上的,因此你需要编辑原始设备或者屏蔽某个具体的设备。 -要设置磁盘限制(需要btrfs或者ZFS): +要设置磁盘限制(需要 btrfs 或者 ZFS): ``` lxc config device set my-container root size 20GB @@ -252,7 +255,7 @@ lxc config device set my-container root limits.read 30MB lxc config device set my-container root.limits.write 10MB ``` -或者限制IO频率: +或者限制 IO 频率: ``` lxc config device set my-container root limits.read 20Iops @@ -265,11 +268,11 @@ lxc config device set my-container root limits.write 10Iops lxc config set my-container limits.disk.priority 10 ``` -将那个容器的I/O优先级调到最高。 +将那个容器的 I/O 优先级调到最高。 #### 网络 I/O -只要机制可用,网络I/O基本等同于块I/O。 +只要机制可用,网络 I/O 基本等同于块 I/O。 比如: @@ -301,9 +304,9 @@ Saving to: '/dev/null' 2016-03-26 22:17:56 (11.4 MB/s) - '/dev/null' saved [104857600/104857600] ``` -这就是如何将一个千兆网的连接速度限制到仅仅100Mbit/s的! +这就是如何将一个千兆网的连接速度限制到仅仅 100Mbit/s 的! -和块I/O一样,你可以设置一个总体的网络优先级: +和块 I/O 一样,你可以设置一个总体的网络优先级: ``` lxc config set my-container limits.network.priority 5 @@ -311,13 +314,13 @@ lxc config set my-container limits.network.priority 5 ### 获取当前资源使用率 -[LXD API][2]可以导出目前容器资源使用情况的一点信息,你可以得到: +[LXD API][2] 可以导出目前容器资源使用情况的一点信息,你可以得到: * 内存:当前、峰值、目前内存交换和峰值内存交换 * 磁盘:当前磁盘使用率 * 网络:每个接口传输的字节和包数。 -另外如果你使用的是非常新的LXD(在写这篇文章时的git版本),你还可以在“lxc info”中得到这些信息: +另外如果你使用的是非常新的 LXD(在写这篇文章时的 git 版本),你还可以在`lxc info`中得到这些信息: ``` stgraber@dakara:~$ lxc info zerotier @@ -375,11 +378,11 @@ Snapshots: ### 总结 -LXD团队花费了几个月的时间来迭代我们使用的这些限制语言。 它是为了在保持强大和功能明确的基础上同时保持简单。 +LXD 团队花费了几个月的时间来迭代我们使用的这些限制的语言。 它是为了在保持强大和功能明确的基础上同时保持简单。 -实时的应用限制和继承配置文件,使其成为一种非常强大的工具,可以在不影响正在运行的服务的情况下实时管理服务器上的负载。 +实时地应用这些限制和通过配置文件继承,使其成为一种非常强大的工具,可以在不影响正在运行的服务的情况下实时管理服务器上的负载。 -### 额外信息 +### 更多信息 LXD 的主站在: @@ -389,7 +392,7 @@ LXD 的邮件列表: LXD 的 IRC 频道: #lxcontainers on irc.freenode.net -如果你不想在你的机器上安装LXD,你可以[在线尝试下][3] +如果你不想在你的机器上安装LXD,你可以[在线尝试下][3]。 -------------------------------------------------------------------------------- @@ -398,7 +401,7 @@ via: https://www.stgraber.org/2016/03/26/lxd-2-0-resource-control-412/ 作者:[Stéphane Graber][a] 译者:[geekpi](https://github.com/geekpi) -校对:[校对者ID](https://github.com/校对者ID) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织翻译,[Linux中国](https://linux.cn/) 荣誉推出 From 3e0076577825d65deeab6e5c9e0137bdcf921816 Mon Sep 17 00:00:00 2001 From: wxy Date: Wed, 28 Dec 2016 23:52:25 +0800 Subject: [PATCH 050/181] PUB:Part 4 - LXD 2.0--Resource contro @geekpi --- .../tech => published}/LXD/Part 4 - LXD 2.0--Resource control.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/LXD/Part 4 - LXD 2.0--Resource control.md (100%) diff --git a/translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md b/published/LXD/Part 4 - LXD 2.0--Resource control.md similarity index 100% rename from translated/tech/LXD/Part 4 - LXD 2.0--Resource control.md rename to published/LXD/Part 4 - LXD 2.0--Resource control.md From 9bbd54192d8b4d35ff7231aac115a709610eff46 Mon Sep 17 00:00:00 2001 From: wxy Date: Thu, 29 Dec 2016 00:54:02 +0800 Subject: [PATCH 051/181] PROOF:20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well @ypingcn --- ...- Move from SQL Server to MySQL as well.md | 48 ++++++++----------- 1 file changed, 20 insertions(+), 28 deletions(-) diff --git a/translated/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md b/translated/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md index 891ae6cf92..050bb362db 100644 --- a/translated/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md +++ b/translated/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md @@ -1,65 +1,57 @@ -把 SQL Server 迁移到Linux?也把 SQL Server 换成 MySQL 吧! +把 SQL Server 迁移到 Linux?不如换成 MySQL ============================================================ -### 在这篇文章里将会讲 +最近几年,数量庞大的个人和组织放弃 Windows 平台选择 Linux 平台,而且随着人们体验到更多 Linux 的发展,这个数字将会继续增长。在很长的一段时间内, Linux 是网络服务器的领导者,因为大部分的网络服务器都运行在 Linux 之上,这或许是为什么那么多的个人和组织选择迁移的一个原因。 -1.  [控制平台][1] -2.  [跟随大众][2] -3.  [微软没有开放 SQL Server 的源代码][3] -4.  [节约许可证的花费][4] -5.  [有时候被使用的特定硬件][5] -6.  [支持][6] +迁移的原因有很多,更强的平台稳定性、可靠性、成本、所有权和安全性等等。随着更多的个人和组织迁移到 Linux 平台,MS SQL 服务器数据库管理系统的迁移也有着同样的趋势,首选的是 MySQL ,这是因为 MySQL 的互用性、平台无关性和购置成本低。 -最近几年,数量庞大的个人和组织放弃 Windows 平台选择 Linux 平台,而且随着人们体验到更多 Linux 的发展,这个数字将会继续增长。在很长的一段时间内, Linux是网络服务器的领导者,因为大部分的网络服务器都运行在 Linux 之上,这或许是一个为什么那么多个人和组织选择迁移的原因。 - -迁移的原因有很多,更强的平台稳定性、可靠性、花费、所有权和安全性。更多的个人和组织迁移到 Linux 平台,MS SQL 服务器数据库管理系统的迁移也有着同样的趋势,首选的是 MySQL ,因为 MySQL 的互用性、平台独立和低的购置成本。 - -有多少个人和组织完成了迁移,就应该满足多少商业需求,迁移,不能只是为了乐趣。这样的话,一个综合可行性和成本效益分析是有必要执行的,分析能了解迁移对于你业务上的正面和负面影响。 +有如此多的个人和组织完成了迁移,这是应业务需求而产生的迁移,而不是为了迁移的乐趣。因此,有必要做一个综合可行性和成本效益分析,以了解迁移对于你的业务上的正面和负面影响。 迁移需要基于以下重要因素: -### 控制平台 +### 对平台的掌控 -不像Windows那样每次发布和修复都不能完全掌控,当你需要修复的时候,Linux 真正给了你灵活性去获取修复。这一点受到开发者和安全人员的喜爱,因为他们能在一个安全威胁被确定时立即自行打补丁,不像 Windows ,你只能期望官方尽快发布补丁。 +不像 Windows 那样,你不能完全控制版本发布和修复,而 Linux 可以让你需要需要修复的时候真正给了你获取修复的灵活性。这一点受到了开发者和安全人员的喜爱,因为他们能在一个安全威胁被确定时立即自行打补丁,不像 Windows ,你只能期望官方尽快发布补丁。 ### 跟随大众 -目前, 运行在 Linux 平台上的服务器在数量上远超过 Windows,几乎是全世界服务器数量的四分之三,而且这种趋势在最近一段时间内不会改变。因此,许多组织正在将他们的服务完全迁移到 Linux 上,而不是同时使用两种平台,同时使用将会增加他们的运营成本。 +目前, 运行在 Linux 平台上的服务器在数量上远超 Windows,几乎是全世界服务器数量的四分之三,而且这种趋势在最近一段时间内不会改变。因此,许多组织正在将他们的服务完全迁移到 Linux 上,而不是同时使用两种平台,同时使用将会增加他们的运营成本。 ### 微软没有开放 SQL Server 的源代码 -微软宣称他们下一个名为 Denali 的新版 MSSQL Server 将会是一个 Linux 版本,并且不会开放其源代码,这意味着他们的协议依旧有效,但是新版本将能在Linux上运行。这一点将许多乐于接受开源新版的人拒之门外。 +微软宣称他们下一个名为 Denali 的新版 MS SQL Server 将会是一个 Linux 版本,并且不会开放其源代码,这意味着他们仍然使用的是软件授权模式,只是新版本将能在 Linux 上运行而已。这一点将许多乐于接受开源新版本的人拒之门外。 -这仍然没有给那些使用闭源的 Oracle 用户另一个选择,使用完全开源的 [MySQL 用户][7]也是如此。 +这也没有给那些使用闭源的 Oracle 用户另一个选择,对于使用完全开源的 [MySQL 用户][7]也是如此。 -### 节约许可证的花费 +### 节约授权许可证的花费 -许可证的潜在成本让许多用户很失望。在 Windows 平台上运行 MSSQL 服务器有太多的许可证牵涉其中。你需要这些许可: +授权许可证的潜在成本让许多用户很失望。在 Windows 平台上运行 MS SQL 服务器有太多的授权许可证牵涉其中。你需要这些授权许可证: *   Windows 操作系统 -*   MSSQL 服务器 +*   MS SQL 服务器 *   特定的数据库工具,例如 SQL 分析工具等 -不像 Windows 平台,Linux 完全没有高昂的授权花费,因此更能吸引用户。 MySQL 数据库也能免费获取,即使它能灵活地当作是一个 MSSQL 服务器。不像那些给 MSSQL 设计的收费程序,大部分的 MySQL 数据库实用程序是免费的。 +不像 Windows 平台,Linux 完全没有高昂的授权花费,因此更能吸引用户。 MySQL 数据库也能免费获取,甚而它提供了像 MS SQL 服务器一样的灵活性,那就更值得选择了。不像那些给 MS SQL 设计的收费工具,大部分的 MySQL 数据库实用程序是免费的。 -### 有时候被使用的特定硬件 +### 有时候用的是特殊的硬件 -因为 Linux 先进和总是被不同的开发者所选择,所以它独立于所运行的硬件之上并能被广泛使用在不同的硬件平台。然而微软正在努力让 Windows 和 MSSQL 服务器拥有硬件独立性,在平台的独立性上依旧有些限制。 +因为 Linux 是不同的开发者所开发,并在不断改进中,所以它独立于所运行的硬件之上,并能被广泛使用在不同的硬件平台。然而尽管微软正在努力让 Windows 和 MSSQL 服务器做到硬件无关,但在平台无关上依旧有些限制。 ### 支持 -有了 Linux 、 MySQL 和其他的开源软件,获取满足自己特定需求的帮助变得更加简单,因为有不同开发者参与到这些软件的开发过程中。这些开发者或许就在你附近,这样更容易获取帮助。在线论坛也能帮上不少,你能发帖并讨论你所面对的问题。 + +有了 Linux、MySQL 和其它的开源软件,获取满足自己特定需求的帮助变得更加简单,因为有不同开发者参与到这些软件的开发过程中。这些开发者或许就在你附近,这样更容易获取帮助。在线论坛也能帮上不少,你能发帖并讨论你所面对的问题。 至于那些商业软件,你只能根据他们的软件协议和时间来获得帮助,有时候他们不能在你的时间范围内给出一个解决方案。 -在不同的情况中,迁移到 Linux 都是你最好的选择,加入一个彻底、稳定可靠的平台来获取优异表现。总所周知,这比 Windows 要多花费一点精力。这值得一试。 +在不同的情况中,迁移到 Linux 都是你最好的选择,加入一个彻底的、稳定可靠的平台来获取优异表现,众所周知,它比 Windows 更健壮。这值得一试。 -------------------------------------------------------------------------------- via: https://www.howtoforge.com/tutorial/moving-with-sql-server-to-linux-move-from-sql-server-to-mysql-as-well/ -作者:[Tony Branson ][a] +作者:[Tony Branson][a] 译者:[ypingcn](https://github.com/ypingcn) -校对:[校对者ID](https://github.com/校对者ID) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 From 311998ff7a601774fc6d38b6ca00c58b9768e956 Mon Sep 17 00:00:00 2001 From: wxy Date: Thu, 29 Dec 2016 00:55:03 +0800 Subject: [PATCH 052/181] PUB:20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @ypingcn 翻译的不错,加油! --- ...SQL Server to Linux - Move from SQL Server to MySQL as well.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md (100%) diff --git a/translated/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md b/published/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md similarity index 100% rename from translated/tech/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md rename to published/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md From efe81906f3339d925b1eed89dea47545175f11f3 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 04:14:04 +0800 Subject: [PATCH 053/181] =?UTF-8?q?20161229-1=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../LXD/Part 5 - LXD 2.0--LXD and Juju.md | 353 ++++++++++++++++++ 1 file changed, 353 insertions(+) create mode 100644 sources/tech/LXD/Part 5 - LXD 2.0--LXD and Juju.md diff --git a/sources/tech/LXD/Part 5 - LXD 2.0--LXD and Juju.md b/sources/tech/LXD/Part 5 - LXD 2.0--LXD and Juju.md new file mode 100644 index 0000000000..9098c3d987 --- /dev/null +++ b/sources/tech/LXD/Part 5 - LXD 2.0--LXD and Juju.md @@ -0,0 +1,353 @@ +# LXD 2.0: LXD and Juju [10/12] + +This is the tenth blog post in [this series about LXD 2.0][1]. + + ![LXD logo](https://linuxcontainers.org/static/img/containers.png) + +Introduction +============================================================ + +Juju is Canonical’s service modeling and deployment tool. It supports a very wide range of cloud providers to make it easy for you to deploy any service you want on any cloud you want. + +On top of that, Juju 2.0 also includes support for LXD, both for local deployments, ideal for development and as a way to co-locate services on a cloud instance or physical machine. + +This post will focus on the local use case, going through the experience of a LXD user without any pre-existing Juju experience. + +# Requirements + +This post assumes that you already have LXD 2.0 installed and configured (see previous posts) and that you’re running it on Ubuntu 16.04 LTS. + +# Setting up Juju + +The first thing to do is to install Juju 2.0\. On Ubuntu 16.04, it’s as simple as: + +``` +stgraber@dakara:~$ sudo apt install juju +Reading package lists... Done +Building dependency tree +Reading state information... Done +The following additional packages will be installed: + juju-2.0 +Suggested packages: + juju-core +The following NEW packages will be installed: + juju juju-2.0 +0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. +Need to get 39.7 MB of archives. +After this operation, 269 MB of additional disk space will be used. +Do you want to continue? [Y/n] +Get:1 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 juju-2.0 amd64 2.0~beta7-0ubuntu1.16.04.1 [39.6 MB] +Get:2 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 juju all 2.0~beta7-0ubuntu1.16.04.1 [9,556 B] +Fetched 39.7 MB in 0s (53.4 MB/s) +Selecting previously unselected package juju-2.0. +(Reading database ... 255132 files and directories currently installed.) +Preparing to unpack .../juju-2.0_2.0~beta7-0ubuntu1.16.04.1_amd64.deb ... +Unpacking juju-2.0 (2.0~beta7-0ubuntu1.16.04.1) ... +Selecting previously unselected package juju. +Preparing to unpack .../juju_2.0~beta7-0ubuntu1.16.04.1_all.deb ... +Unpacking juju (2.0~beta7-0ubuntu1.16.04.1) ... +Processing triggers for man-db (2.7.5-1) ... +Setting up juju-2.0 (2.0~beta7-0ubuntu1.16.04.1) ... +Setting up juju (2.0~beta7-0ubuntu1.16.04.1) ... +``` + +Once that’s done, we can bootstrap a new “controller” using LXD. This means that Juju will not modify anything on your host, it will instead install its management service inside a LXD container. + +Here, we’ll be creating a controller called “test” with: + +``` +stgraber@dakara:~$ juju bootstrap localhost test +Creating Juju controller "local.test" on localhost/localhost +Bootstrapping model "admin" +Starting new instance for initial controller +Launching instance + - juju-745d1be3-e93d-41a2-80d4-fbe8714230dd-machine-0 +Installing Juju agent on bootstrap instance +Preparing for Juju GUI 2.1.2 release installation +Waiting for address +Attempting to connect to 10.178.150.72:22 +Logging to /var/log/cloud-init-output.log on remote host +Running apt-get update +Running apt-get upgrade +Installing package: curl +Installing package: cpu-checker +Installing package: bridge-utils +Installing package: cloud-utils +Installing package: cloud-image-utils +Installing package: tmux +Fetching tools: curl -sSfw 'tools from %{url_effective} downloaded: HTTP %{http_code}; time %{time_total}s; size %{size_download} bytes; speed %{speed_download} bytes/s ' --retry 10 -o $bin/tools.tar.gz <[https://streams.canonical.com/juju/tools/agent/2.0-beta7/juju-2.0-beta7-xenial-amd64.tgz]> +Bootstrapping Juju machine agent +Starting Juju machine agent (jujud-machine-0) +Bootstrap agent installed +Waiting for API to become available: upgrade in progress (upgrade in progress) +Waiting for API to become available: upgrade in progress (upgrade in progress) +Waiting for API to become available: upgrade in progress (upgrade in progress) +Bootstrap complete, local.test now available. +``` + +This should take about a minute, at which point you’ll see a new LXD container running: + +``` +stgraber@dakara:~$ lxc list juju- ++-----------------------------------------------------+---------+----------------------+------+------------+-----------+ +| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | ++-----------------------------------------------------+---------+----------------------+------+------------+-----------+ +| juju-745d1be3-e93d-41a2-80d4-fbe8714230dd-machine-0 | RUNNING | 10.178.150.72 (eth0) | | PERSISTENT | 0 | ++-----------------------------------------------------+---------+----------------------+------+------------+-----------+ +``` + +On the Juju side of things, you can confirm that it’s responding and that nothing is running yet: + +``` +stgraber@dakara:~$ juju status +[Services] +NAME STATUS EXPOSED CHARM + +[Units] +ID WORKLOAD-STATUS JUJU-STATUS VERSION MACHINE PORTS PUBLIC-ADDRESS MESSAGE + +[Machines] +ID STATE DNS INS-ID SERIES AZ +``` + +You can also access the Juju GUI in your web browser with: + +``` +stgraber@dakara:~$ juju gui +Opening the Juju GUI in your browser. +If it does not open, open this URL: +https://10.178.150.72:17070/gui/97fa390d-96ad-44df-8b59-e15fdcfc636b/ +``` + + ![Juju web UI](https://www.stgraber.org/wp-content/uploads/2016/06/juju-gui.png) + +Though I prefer the command line so that’s what I’ll be using next. + +# Deploying a minecraft server + +So lets start with something very trivial, just deploy a service that uses a single Juju unit in a single container. + +``` +stgraber@dakara:~$ juju deploy cs:trusty/minecraft +Added charm "cs:trusty/minecraft-3" to the model. +Deploying charm "cs:trusty/minecraft-3" with the charm series "trusty". +``` + +This should return pretty much immediately. It however doesn’t mean the service is already up and running. Instead you’ll want to look at “juju status”: + +``` +stgraber@dakara:~$ juju status +[Services] +NAME STATUS EXPOSED CHARM +minecraft maintenance false cs:trusty/minecraft-3 + +[Units] +ID WORKLOAD-STATUS JUJU-STATUS VERSION MACHINE PORTS PUBLIC-ADDRESS MESSAGE +minecraft/1 maintenance executing 2.0-beta7 1 10.178.150.74 (install) Installing java + +[Machines] +ID STATE DNS INS-ID SERIES AZ +1 started 10.178.150.74 juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-1 trusty + +``` + +Here we can see it’s currently busy installing java in the LXD container it just created. + +``` +stgraber@dakara:~$ lxc list juju- ++-----------------------------------------------------+---------+----------------------+------+------------+-----------+ +| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | ++-----------------------------------------------------+---------+----------------------+------+------------+-----------+ +| juju-745d1be3-e93d-41a2-80d4-fbe8714230dd-machine-0 | RUNNING | 10.178.150.72 (eth0) | | PERSISTENT | 0 | ++-----------------------------------------------------+---------+----------------------+------+------------+-----------+ +| juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-1 | RUNNING | 10.178.150.74 (eth0) | | PERSISTENT | 0 | ++-----------------------------------------------------+---------+----------------------+------+------------+-----------+ +``` + +After a little while, the service will be done deploying as can be seen here: + +``` +stgraber@dakara:~$ juju status +[Services] +NAME STATUS EXPOSED CHARM +minecraft active false cs:trusty/minecraft-3 + +[Units] +ID WORKLOAD-STATUS JUJU-STATUS VERSION MACHINE PORTS PUBLIC-ADDRESS MESSAGE +minecraft/1 active idle 2.0-beta7 1 25565/tcp 10.178.150.74 Ready + +[Machines] +ID STATE DNS INS-ID SERIES AZ +1 started 10.178.150.74 juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-1 trusty +``` + +At which point you can fire up your minecraft client, point it at 10.178.150.74 on port 25565 and play with your all new minecraft server! + +When you want to get rid of it, just run: + +``` +stgraber@dakara:~$ juju destroy-service minecraft +``` + +Wait a few seconds and everything will be gone. + +# Deploying a more complex web application + +Juju’s main focus is on modeling complex services and deploying them in a scallable way. + +To better show that, lets deploy a Juju “bundle”. This bundle is a basic web service, made of a website, an API endpoint, a database, a static web server and a reverse proxy. + +So that’s going to expand to 4, inter-connected LXD containers. + +``` +stgraber@dakara:~$ juju deploy cs:~charmers/bundle/web-infrastructure-in-a-box +added charm cs:~hp-discover/trusty/node-app-1 +service api deployed (charm cs:~hp-discover/trusty/node-app-1 with the series "trusty" defined by the bundle) +annotations set for service api +added charm cs:trusty/mongodb-3 +service mongodb deployed (charm cs:trusty/mongodb-3 with the series "trusty" defined by the bundle) +annotations set for service mongodb +added charm cs:~hp-discover/trusty/nginx-4 +service nginx deployed (charm cs:~hp-discover/trusty/nginx-4 with the series "trusty" defined by the bundle) +annotations set for service nginx +added charm cs:~hp-discover/trusty/nginx-proxy-3 +service nginx-proxy deployed (charm cs:~hp-discover/trusty/nginx-proxy-3 with the series "trusty" defined by the bundle) +annotations set for service nginx-proxy +added charm cs:~hp-discover/trusty/website-3 +service website deployed (charm cs:~hp-discover/trusty/website-3 with the series "trusty" defined by the bundle) +annotations set for service website +related mongodb:database and api:mongodb +related website:nginx-engine and nginx:web-engine +related api:website and nginx-proxy:website +related nginx-proxy:website and website:website +added api/0 unit to new machine +added mongodb/0 unit to new machine +added nginx/0 unit to new machine +added nginx-proxy/0 unit to new machine +deployment of bundle "cs:~charmers/bundle/web-infrastructure-in-a-box-10" completed +``` + +A few seconds later, you’ll see all the LXD containers running: + +``` +stgraber@dakara:~$ lxc list juju- ++-----------------------------------------------------+---------+-----------------------+------+------------+-----------+ +| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | ++-----------------------------------------------------+---------+-----------------------+------+------------+-----------+ +| juju-745d1be3-e93d-41a2-80d4-fbe8714230dd-machine-0 | RUNNING | 10.178.150.72 (eth0) | | PERSISTENT | 0 | ++-----------------------------------------------------+---------+-----------------------+------+------------+-----------+ +| juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-2 | RUNNING | 10.178.150.98 (eth0) | | PERSISTENT | 0 | ++-----------------------------------------------------+---------+-----------------------+------+------------+-----------+ +| juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-3 | RUNNING | 10.178.150.29 (eth0) | | PERSISTENT | 0 | ++-----------------------------------------------------+---------+-----------------------+------+------------+-----------+ +| juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-4 | RUNNING | 10.178.150.202 (eth0) | | PERSISTENT | 0 | ++-----------------------------------------------------+---------+-----------------------+------+------------+-----------+ +| juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-5 | RUNNING | 10.178.150.214 (eth0) | | PERSISTENT | 0 | ++-----------------------------------------------------+---------+-----------------------+------+------------+-----------+ +``` + +After a couple of minutes, all the services should be deployed and running: + +``` +stgraber@dakara:~$ juju status +[Services] +NAME STATUS EXPOSED CHARM +api unknown false cs:~hp-discover/trusty/node-app-1 +mongodb unknown false cs:trusty/mongodb-3 +nginx unknown false cs:~hp-discover/trusty/nginx-4 +nginx-proxy unknown false cs:~hp-discover/trusty/nginx-proxy-3 +website false cs:~hp-discover/trusty/website-3 + +[Relations] +SERVICE1 SERVICE2 RELATION TYPE +api mongodb database regular +api nginx-proxy website regular +mongodb mongodb replica-set peer +nginx website nginx-engine subordinate +nginx-proxy website website regular + +[Units] +ID WORKLOAD-STATUS JUJU-STATUS VERSION MACHINE PORTS PUBLIC-ADDRESS MESSAGE +api/0 unknown idle 2.0-beta7 2 8000/tcp 10.178.150.98 +mongodb/0 unknown idle 2.0-beta7 3 27017/tcp,27019/tcp,27021/tcp,28017/tcp 10.178.150.29 +nginx-proxy/0 unknown idle 2.0-beta7 5 80/tcp 10.178.150.214 +nginx/0 unknown idle 2.0-beta7 4 10.178.150.202 + website/0 unknown idle 2.0-beta7 10.178.150.202 + +[Machines] +ID STATE DNS INS-ID SERIES AZ +2 started 10.178.150.98 juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-2 trusty +3 started 10.178.150.29 juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-3 trusty +4 started 10.178.150.202 juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-4 trusty +5 started 10.178.150.214 juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-5 trusty +``` + +At which point, you can hit the reverse proxy on port 80 with http://10.178.150.214 and you’ll hit the Juju academy web service. + +[ + ![Juju Academy web service](https://www.stgraber.org/wp-content/uploads/2016/06/juju-academy.png) +][2] + +# Cleaning everything up + +If you want to get rid of all the containers Juju created and don’t mind having to bootstrap again next time, the easiest way to destroy everything is with: + +``` +stgraber@dakara:~$ juju destroy-controller test --destroy-all-models +WARNING! This command will destroy the "local.test" controller. +This includes all machines, services, data and other resources. + +Continue [y/N]? y +Destroying controller +Waiting for hosted model resources to be reclaimed +Waiting on 1 model, 4 machines, 5 services +Waiting on 1 model, 4 machines, 5 services +Waiting on 1 model, 4 machines, 5 services +Waiting on 1 model, 4 machines, 5 services +Waiting on 1 model, 4 machines, 5 services +Waiting on 1 model, 4 machines, 5 services +Waiting on 1 model, 4 machines +Waiting on 1 model, 4 machines +Waiting on 1 model, 4 machines +Waiting on 1 model, 4 machines +Waiting on 1 model, 4 machines +Waiting on 1 model, 4 machines +Waiting on 1 model, 2 machines +Waiting on 1 model +Waiting on 1 model +All hosted models reclaimed, cleaning up controller machines +``` + +And we can confirm that it’s all gone: + +``` +stgraber@dakara:~$ lxc list juju- ++------+-------+------+------+------+-----------+ +| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | ++------+-------+------+------+------+-----------+ +``` + +# Conclusion + +Juju 2.0’s built-in LXD support makes for a very clean way to test a whole variety of services. + +There are quite a few pre-made “bundles” for you to deploy in the Juju charm store and even more “charms” that you can use to piece together the architecture you want. + +Juju with LXD is the perfect solution for easily developing anything from a small web service to a big scale out infrastructure, all on your own machine, without creating a mess on your system! + +-------------------------------------------------------------------------- +作者简介:I’m Stéphane Graber. I’m probably mostly known as the LXC and LXD project leader, currently working as a technical lead for LXD at Canonical Ltd. from my home in Montreal, Quebec, Canada. + +-------------------------------------------------------------------------------- + +via: https://www.stgraber.org/2016/06/06/lxd-2-0-lxd-and-juju-1012/ + +作者:[ Stéphane Graber][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.stgraber.org/author/stgraber/ +[1]:https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ +[2]:https://www.stgraber.org/wp-content/uploads/2016/06/juju-academy.png From 4996df8f99d1d54af8acc7ea78492a8f1170e8f5 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 04:15:50 +0800 Subject: [PATCH 054/181] =?UTF-8?q?20161229-2=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../LXD/Part 11 - LXD 2.0--LXD and Juju.md | 127 ++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md diff --git a/sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md b/sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md new file mode 100644 index 0000000000..3a981c8dec --- /dev/null +++ b/sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md @@ -0,0 +1,127 @@ +# LXD 2.0: LXD and OpenStack [11/12] + +This is the eleventh blog post in [this series about LXD 2.0][1]. + + ![LXD logo](https://linuxcontainers.org/static/img/containers.png) + +Introduction +============================================================ + +First of all, sorry for the delay. It took quite a long time before I finally managed to get all of this going. My first attempts were using devstack which ran into a number of issues that had to be resolved. Yet even after all that, I still wasn’t be able to get networking going properly. + +I finally gave up on devstack and tried “conjure-up” to deploy a full Ubuntu OpenStack using Juju in a pretty user friendly way. And it finally worked! + +So below is how to run a full OpenStack, using LXD containers instead of VMs and running all of this inside a LXD container (nesting!). + +# Requirements + +This post assumes you’ve got a working LXD setup, providing containers with network access and that you have a pretty beefy CPU, around 50GB of space for the container to use and at least 16GB of RAM. + +Remember, we’re running a full OpenStack here, this thing isn’t exactly light! + +# Setting up the container + +OpenStack is made of a lof of different components, doing a lot of different things. Some require some additional privileges so to make our live easier, we’ll use a privileged container. + +We’ll configure that container to support nesting, pre-load all the required kernel modules and allow it access to /dev/mem (as is apparently needed). + +Please note that this means that most of the security benefit of LXD containers are effectively disabled for that container. However the containers that will be spawned by OpenStack itself will be unprivileged and use all the normal LXD security features. + +``` +lxc launch ubuntu:16.04 openstack -c security.privileged=true -c security.nesting=true -c "linux.kernel_modules=iptable_nat, ip6table_nat, ebtables, openvswitch" +lxc config device add openstack mem unix-char path=/dev/mem +``` + +There is a small bug in LXD where it would attempt to load kernel modules that have already been loaded on the host. This has been fixed in LXD 2.5 and will be fixed in LXD 2.0.6 but until then, this can be worked around with: + +``` +lxc exec openstack -- ln -s /bin/true /usr/local/bin/modprobe +``` + +Then we need to add a couple of PPAs and install conjure-up, the deployment tool we’ll use to get OpenStack going. + +``` +lxc exec openstack -- apt-add-repository ppa:conjure-up/next -y +lxc exec openstack -- apt-add-repository ppa:juju/stable -y +lxc exec openstack -- apt update +lxc exec openstack -- apt dist-upgrade -y +lxc exec openstack -- apt install conjure-up -y +``` + +And the last setup step is to configure LXD networking inside the container. +Answer with the default for all questions, except for: + +* Use the “dir” storage backend (“zfs” doesn’t work in a nested container) +* Do NOT configure IPv6 networking (conjure-up/juju don’t play well with it) + +``` +lxc exec openstack -- lxd init +``` + +And that’s it for the container configuration itself, now we can deploy OpenStack! + +# Deploying OpenStack with conjure-up + +As mentioned earlier, we’ll be using conjure-up to deploy OpenStack. +This is a nice, user friendly, tool that interfaces with Juju to deploy complex services. + +Start it with: + +``` +lxc exec openstack -- sudo -u ubuntu -i conjure-up +``` + +* Select “OpenStack with NovaLXD” +* Then select “localhost” as the deployment target (uses LXD) +* And hit “Deploy all remaining applications” + +This will now deploy OpenStack. The whole process can take well over an hour depending on what kind of machine you’re running this on. You’ll see all services getting a container allocated, then getting deployed and finally interconnected. + + ![Conjure-Up deploying OpenStack](https://www.stgraber.org/wp-content/uploads/2016/10/conjure-up.png) + +Once the deployment is done, a few post-install steps will appear. This will import some initial images, setup SSH authentication, configure networking and finally giving you the IP address of the dashboard. + +# Access the dashboard and spawn a container + +The dashboard runs inside a container, so you can’t just hit it from your web browser. +The easiest way around this is to setup a NAT rule with: + +``` +lxc exec openstack -- iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to +``` + +Where “” is the dashboard IP address conjure-up gave you at the end of the installation. + +You can now grab the IP address of the “openstack” container (from “lxc info openstack”) and point your web browser to: http:///horizon + +This can take a few minutes to load the first time around. Once the login screen is loaded, enter the default login and password (admin/openstack) and you’ll be greeted by the OpenStack dashboard! + + ![oslxd-dashboard](https://www.stgraber.org/wp-content/uploads/2016/10/oslxd-dashboard.png) + +You can now head to the “Project” tab on the left and the “Instances” page. To start a new instance using nova-lxd, click on “Launch instance”, select what image you want, network, … and your instance will get spawned. + +Once it’s running, you can assign it a floating IP which will let you reach your instance from within your “openstack” container. + +# Conclusion + +OpenStack is a pretty complex piece of software, it’s also not something you really want to run at home or on a single server. But it’s certainly interesting to be able to do it anyway, keeping everything contained to a single container on your machine. + +Conjure-Up is a great tool to deploy such complex software, using Juju behind the scene to drive the deployment, using LXD containers for every individual service and finally for the instances themselves. + +It’s also one of the very few cases where multiple level of container nesting actually makes sense! + +-------------------------------------------------------------------------- +作者简介:I’m Stéphane Graber. I’m probably mostly known as the LXC and LXD project leader, currently working as a technical lead for LXD at Canonical Ltd. from my home in Montreal, Quebec, Canada. + +-------------------------------------------------------------------------------- + +via: https://www.stgraber.org/2016/10/26/lxd-2-0-lxd-and-openstack-1112/ + +作者:[Stéphane Graber ][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.stgraber.org/author/stgraber/ +[1]:https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ From b833865fd57a1a0d1234de248005f967873279e3 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 04:16:16 +0800 Subject: [PATCH 055/181] =?UTF-8?q?20161229-1=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...XD 2.0--LXD and Juju.md => Part 10 - LXD 2.0--LXD and Juju.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sources/tech/LXD/{Part 5 - LXD 2.0--LXD and Juju.md => Part 10 - LXD 2.0--LXD and Juju.md} (100%) diff --git a/sources/tech/LXD/Part 5 - LXD 2.0--LXD and Juju.md b/sources/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md similarity index 100% rename from sources/tech/LXD/Part 5 - LXD 2.0--LXD and Juju.md rename to sources/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md From 06037484bc0d6782063aa72ab9e4e4b67dfff0d4 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 04:22:31 +0800 Subject: [PATCH 056/181] =?UTF-8?q?20161229-3=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ucture from Linux Command Line – Part 2.md | 394 ++++++++++++++++++ 1 file changed, 394 insertions(+) create mode 100644 sources/tech/How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md diff --git a/sources/tech/How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md b/sources/tech/How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md new file mode 100644 index 0000000000..05244e22db --- /dev/null +++ b/sources/tech/How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md @@ -0,0 +1,394 @@ +How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2 +============================================================ + +This tutorial will cover [some basic daily commands][4] you need to use in order to manage Samba4 AD Domain Controller infrastructure, such as adding, removing, disabling or listing users and groups. + +We’ll also take a look on how to manage domain security policy and how to bind AD users to local PAM authentication in order for AD users to be able to perform local logins on Linux Domain Controller. + +#### Requirements + +1. [Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1][1] +2. [Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3][2] +3. [Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4][3] + +### Step 1: Manage Samba AD DC from Command Line + +1. Samba AD DC can be managed through samba-tool command line utility which offers a great interface for administrating your domain. + +With the help of samba-tool interface you can directly manage domain users and groups, domain Group Policy, domain sites, DNS services, domain replication and other critical domain functions. + +To review the entire functionality of samba-tool just type the command with root privileges without any option or parameter. + +``` +# samba-tool -h +``` +[ + ![samba-tool - Manage Samba Administration Tool](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Administration-Tool.png) +][5] + +samba-tool – Manage Samba Administration Tool + +2. Now, let’s start using samba-tool utility to administer Samba4 Active Directory and manage our users. + +In order to create a user on AD use the following command: + +``` +# samba-tool user add your_domain_user +``` + +To add a user with several important fields required by AD, use the following syntax: + +``` +--------- review all options --------- +# samba-tool user add -h +# samba-tool user add your_domain_user --given-name=your_name --surname=your_username --mail-address=your_domain_user@tecmint.lan --login-shell=/bin/bash +``` +[ + ![Create User on Samba AD](http://www.tecmint.com/wp-content/uploads/2016/11/Create-User-on-Samba-AD.png) +][6] + +Create User on Samba AD + +3. A listing of all samba AD domain users can be obtained by issuing the following command: + +``` +# samba-tool user list +``` +[ + ![List Samba AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-AD-Users.png) +][7] + +List Samba AD Users + +4. To delete a samba AD domain user use the below syntax: + +``` +# samba-tool user delete your_domain_user +``` + +5. Reset a samba domain user password by executing the below command: + +``` +# samba-tool user setpassword your_domain_user +``` + +6. In order to disable or enable an samba AD User account use the below command: + +``` +# samba-tool user disable your_domain_user +# samba-tool user enable your_domain_user +``` + +7. Likewise, samba groups can be managed with the following command syntax: + +``` +--------- review all options --------- +# samba-tool group add –h +# samba-tool group add your_domain_group +``` + +8. Delete a samba domain group by issuing the below command: + +``` +# samba-tool group delete your_domain_group +``` + +9. To display all samba domain groups run the following command: + +``` +# samba-tool group list +``` + +10. To list all the samba domain members in a specific group use the command: + +``` +# samba-tool group listmembers "your_domain group" +``` +[ + ![List Samba Domain Members of Group](http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-Domain-Members-of-Group.png) +][8] + +List Samba Domain Members of Group + +11. Adding/Removing a member from a samba domain group can be done by issuing one of the following commands: + +``` +# samba-tool group addmembers your_domain_group your_domain_user +# samba-tool group remove members your_domain_group your_domain_user +``` + +12. As mentioned earlier, samba-tool command line interface can also be used to manage your samba domain policy and security. + +To review your samba domain password settings use the below command: + +``` +# samba-tool domain passwordsettings show +``` +[ + ![Check Samba Domain Password](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Domain-Password.png) +][9] + +Check Samba Domain Password + +13. In order to modify samba domain password policy, such as the password complexity level, password ageing, length, how many old password to remember and other security features required for a Domain Controller use the below screenshot as a guide. + +``` +---------- List all command options ---------- +# samba-tool domain passwordsettings -h +``` +[ + ![Manage Samba Domain Password Settings](http://www.tecmint.com/wp-content/uploads/2016/11/Manage-Samba-Domain-Password-Settings.png) +][10] + +Manage Samba Domain Password Settings + +Never use the password policy rules as illustrated above on a production environment. The above settings are used just for demonstration purposes. + +### Step 2: Samba Local Authentication Using Active Directory Accounts + +14. By default, AD users cannot perform local logins on the Linux system outside Samba AD DCenvironment. + +In order to login on the system with an Active Directory account you need to make the following changes on your Linux system environment and modify Samba4 AD DC. + +First, open samba main configuration file and add the below lines, if missing, as illustrated on the below screenshot. + +``` +$ sudo nano /etc/samba/smb.conf +``` + +Make sure the following statements appear on the configuration file: + +``` +winbind enum users = yes +winbind enum groups = yes +``` +[ + ![Samba Authentication Using Active Directory User Accounts](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Authentication-Using-Active-Directory-Accounts.png) +][11] + +Samba Authentication Using Active Directory User Accounts + +15. After you’ve made the changes, use testparm utility to make sure no errors are found on samba configuration file and restart samba daemons by issuing the below command. + +``` +$ testparm +$ sudo systemctl restart samba-ad-dc.service +``` +[ + ![Check Samba Configuration for Errors](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Configuration-for-Errors.png) +][12] + +Check Samba Configuration for Errors + +16. Next, we need to modify local PAM configuration files in order for Samba4 Active Directory accounts to be able to authenticate and open a session on the local system and create a home directory for users at first login. + +Use the pam-auth-update command to open PAM configuration prompt and make sure you enable all PAM profiles using `[space]` key as illustrated on the below screenshot. + +When finished hit `[Tab]` key to move to Ok and apply changes. + +``` +$ sudo pam-auth-update +``` +[ + ![Configure PAM for Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/11/PAM-Configuration-for-Samba4-AD.png) +][13] + +Configure PAM for Samba4 AD + +[ + ![Enable PAM Authentication Module for Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/Enable-PAM-Authentication-Module-for-Samba4-AD.png) +][14] + +Enable PAM Authentication Module for Samba4 AD Users + +17. Now, open /etc/nsswitch.conf file with a text editor and add winbind statement at the end of the password and group lines as illustrated on the below screenshot. + +``` +$ sudo vi /etc/nsswitch.conf +``` +[ + ![Add Windbind Service Switch for Samba](http://www.tecmint.com/wp-content/uploads/2016/11/Add-Windbind-Service-Switch-for-Samba.png) +][15] + +Add Windbind Service Switch for Samba + +18. Finally, edit /etc/pam.d/common-password file, search for the below line as illustrated on the below screenshot and remove the use_authtok statement. + +This setting assures that Active Directory users can change their password from command line while authenticated in Linux. With this setting on, AD users authenticated locally on Linux cannot change their password from console. + +``` +password [success=1 default=ignore] pam_winbind.so try_first_pass +``` +[ + ![Allow Samba AD Users to Change Passwords](http://www.tecmint.com/wp-content/uploads/2016/11/Allow-Samba-AD-Users-to-Change-Password.png) +][16] + +Allow Samba AD Users to Change Passwords + +Remove use_authtok option each time PAM updates are installed and applied to PAM modules or each time you execute pam-auth-update command. + +19. Samba4 binaries comes with a winbindd daemon built-in and enabled by default. + +For this reason you’re no longer required to separately enable and run winbind daemon provided by winbind package from official Ubuntu repositories. + +In case the old and deprecated winbind service is started on the system make sure you disable it and stop the service by issuing the below commands: + +``` +$ sudo systemctl disable winbind.service +$ sudo systemctl stop winbind.service +``` + +Although, we no longer need to run old winbind daemon, we still need to install Winbind package from repositories in order to install and use wbinfo tool. + +Wbinfo utility can be used to query Active Directory users and groups from winbindd daemon point of view. + +The following commands illustrates how to query AD users and groups using wbinfo. + +``` +$ wbinfo -g +$ wbinfo -u +$ wbinfo -i your_domain_user +``` +[ + ![Check Samba4 AD Information ](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Information-of-Samba4-AD.png) +][17] + +Check Samba4 AD Information + +[ + ![Check Samba4 AD User Info](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Info.png) +][18] + +Check Samba4 AD User Info + +20. Apart from wbinfo utility you can also use getent command line utility to query Active Directory database from Name Service Switch libraries which are represented in /etc/nsswitch.conf file. + +Pipe getent command through a grep filter in order to narrow the results regarding just your AD realm user or group database. + +``` +# getent passwd | grep TECMINT +# getent group | grep TECMINT +``` +[ + ![Get Samba4 AD Details](http://www.tecmint.com/wp-content/uploads/2016/11/Get-Samba4-AD-Details.png) +][19] + +Get Samba4 AD Details + +### Step 3: Login in Linux with an Active Directory User + +21. In order to authenticate on the system with a Samba4 AD user, just use the AD username parameter after `su -` command. + +At the first login a message will be displayed on the console which notifies you that a home directory has been created on `/home/$DOMAIN/` system path with the mane of your AD username. + +Use id command to display extra information about the authenticated user. + +``` +# su - your_ad_user +$ id +$ exit +``` +[ + ![Check Samba4 AD User Authentication on Linux](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Authentication-on-Linux.png) +][20] + +Check Samba4 AD User Authentication on Linux + +22. To change the password for an authenticated AD user type passwd command in console after you have successfully logged into the system. + +``` +$ su - your_ad_user +$ passwd +``` +[ + ![Change Samba4 AD User Password](http://www.tecmint.com/wp-content/uploads/2016/11/Change-Samba4-AD-User-Password.png) +][21] + +Change Samba4 AD User Password + +23. By default, Active Directory users are not granted with root privileges in order to perform administrative tasks on Linux. + +To grant root powers to an AD user you must add the username to the local sudo group by issuing the below command. + +Make sure you enclose the realm, slash and AD username with single ASCII quotes. + +``` +# usermod -aG sudo 'DOMAIN\your_domain_user' +``` + +To test if AD user has root privileges on the local system, login and run a command, such as apt-get update, with sudo permissions. + +``` +# su - tecmint_user +$ sudo apt-get update +``` +[ + ![Grant sudo Permission to Samba4 AD User](http://www.tecmint.com/wp-content/uploads/2016/11/Grant-sudo-Permission-to-Samba4-AD-User.png) +][22] + +Grant sudo Permission to Samba4 AD User + +24. In case you want to add root privileges for all accounts of an Active Directory group, edit /etc/sudoers file using visudo command and add the below line after root privileges line, as illustrated on the below screenshot: + +``` +%DOMAIN\\your_domain\ group ALL=(ALL:ALL) ALL +``` + +Pay attention to sudoers syntax so you don’t break things out. + +Sudoers file doesn’t handles very well the use of ASCII quotation marks, so make sure you use `%` to denote that you’re referring to a group and use a backslash to escape the first slash after the domain name and another backslash to escape spaces if your group name contains spaces (most of AD built-in groups contain spaces by default). Also, write the realm with uppercases. + +[ + ![Give Sudo Access to All Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/Give-Sudo-Access-to-All-Samba4-AD-Users.png) +][23] + +Give Sudo Access to All Samba4 AD Users + +That’s all for now! Managing Samba4 AD infrastructure can be also achieved with several tools from Windows environment, such as ADUC, DNS Manager, GPM or other, which can be obtained by installing RSAT package from Microsoft download page. + +To administer Samba4 AD DC through RSAT utilities, it’s absolutely necessary to join the Windows system into Samba4 Active Directory. This will be the subject of our next tutorial, till then stay tuned to TecMint. + +------ + +作者简介:I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting. + + +-------------------------------------------------------------------------------- + +via: http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ + +作者:[Matei Cezar ][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/cezarmatei/ +[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ +[2]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ +[3]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/ +[4]:http://www.tecmint.com/60-commands-of-linux-a-guide-from-newbies-to-system-administrator/ +[5]:http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Administration-Tool.png +[6]:http://www.tecmint.com/wp-content/uploads/2016/11/Create-User-on-Samba-AD.png +[7]:http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-AD-Users.png +[8]:http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-Domain-Members-of-Group.png +[9]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Domain-Password.png +[10]:http://www.tecmint.com/wp-content/uploads/2016/11/Manage-Samba-Domain-Password-Settings.png +[11]:http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Authentication-Using-Active-Directory-Accounts.png +[12]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Configuration-for-Errors.png +[13]:http://www.tecmint.com/wp-content/uploads/2016/11/PAM-Configuration-for-Samba4-AD.png +[14]:http://www.tecmint.com/wp-content/uploads/2016/11/Enable-PAM-Authentication-Module-for-Samba4-AD.png +[15]:http://www.tecmint.com/wp-content/uploads/2016/11/Add-Windbind-Service-Switch-for-Samba.png +[16]:http://www.tecmint.com/wp-content/uploads/2016/11/Allow-Samba-AD-Users-to-Change-Password.png +[17]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Information-of-Samba4-AD.png +[18]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Info.png +[19]:http://www.tecmint.com/wp-content/uploads/2016/11/Get-Samba4-AD-Details.png +[20]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Authentication-on-Linux.png +[21]:http://www.tecmint.com/wp-content/uploads/2016/11/Change-Samba4-AD-User-Password.png +[22]:http://www.tecmint.com/wp-content/uploads/2016/11/Grant-sudo-Permission-to-Samba4-AD-User.png +[23]:http://www.tecmint.com/wp-content/uploads/2016/11/Give-Sudo-Access-to-All-Samba4-AD-Users.png +[24]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/# +[25]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/# +[26]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/# +[27]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/# +[28]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/#comments From ddf9ad1c3f653a1142d73cc1a870c7e9518b861a Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 04:24:33 +0800 Subject: [PATCH 057/181] =?UTF-8?q?20161229-4=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ucture from Windows10 via RSAT – Part 3.md | 360 ++++++++++++++++++ 1 file changed, 360 insertions(+) create mode 100644 sources/tech/Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md diff --git a/sources/tech/Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md b/sources/tech/Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md new file mode 100644 index 0000000000..cd00ef3c26 --- /dev/null +++ b/sources/tech/Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md @@ -0,0 +1,360 @@ +Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3 +============================================================ + +In this part of the [Samba4 AD DC infrastructure series][8] we will talk on how join a Windows 10 machine into a Samba4 realm and how to administer the domain from a Windows 10 workstation. + +Once a Windows 10 system has been joined to Samba4 AD DC we can create, remove or disable domain users and groups, we can create new Organizational Units, we can create, edit and manage domain policy or we can manage Samba4 domain DNS service. + +All of the above functions and other complex tasks concerning domain administration can be achieved via any modern Windows platform with the help of RSAT – Microsoft Remote Server Administration Tools. + +#### Requirements + +1. [Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1][1] +2. [Manage Samba4 AD Infrastructure from Linux Command Line – Part 2][2] +3. [Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4][3] + +### Step 1: Configure Domain Time Synchronization + +1. Before starting to administer Samba4 ADDC from Windows 10 with the help of RSAT tools, we need to know and take care of a crucial piece of service required for an Active Directory and this service refers to [accurate time synchronization][9]. + +Time synchronization can be offered by NTP daemon in most of the Linux distributions. The default maximum time period discrepancy an AD can support is about 5 minutes. + +If the divergence time period is greater than 5 minutes you should start experience various errors, most important concerning AD users, joined machines or share access. + +To install Network Time Protocol daemon and NTP client utility in Ubuntu, execute the below command. + +``` +$ sudo apt-get install ntp ntpdate +``` +[ + ![Install NTP on Ubuntu](http://www.tecmint.com/wp-content/uploads/2016/12/Install-NTP-on-Ubuntu.png) +][10] + +Install NTP on Ubuntu + +2. Next, open and edit NTP configuration file and replace the default NTP pool server list with a new list of NTP servers which are geographically located near your current physical equipment location. + +The list of NTP servers can be obtained by visiting official NTP Pool Project webpage [http://www.pool.ntp.org/en/][11]. + +``` +$ sudo nano /etc/ntp.conf +``` + +Comment the default server list by adding a `#` in front of each pool line and add the below pool lines with your proper NTP servers as illustrated on the below screenshot. + +``` +pool 0.ro.pool.ntp.org iburst +pool 1.ro.pool.ntp.org iburst +pool 2.ro.pool.ntp.org iburst +# Use Ubuntu's ntp server as a fallback. +pool 3.ro.pool.ntp.org +``` +[ + ![Configure NTP Server in Ubuntu](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-NTP-Server-in-Ubuntu.png) +][12] + +Configure NTP Server in Ubuntu + +3. Now, don’t close the file yet. Move to the top at the file and add the below line after the driftfile statement. This setup allows the clients to query the server using AD signed NTP requests. + +``` +ntpsigndsocket /var/lib/samba/ntp_signd/ +``` +[ + ![Sync AD with NTP](http://www.tecmint.com/wp-content/uploads/2016/12/Sync-AD-with-NTP.png) +][13] + +Sync AD with NTP + +4. Finally, move to the bottom of the file and add the below line, as illustrated on the below screenshot, which will allow network clients only to query the time on the server. + +``` +restrict default kod nomodify notrap nopeer mssntp +``` +[ + ![Query Clients to NTP Server](http://www.tecmint.com/wp-content/uploads/2016/12/Query-Client-to-NTP-Server.png) +][14] + +Query Clients to NTP Server + +5. When finished, save and close the NTP configuration file and grant NTP service with the proper permissions in order to read the ntp_signed directory. + +This is the system path where Samba NTP socket is located. Afterwards, restart NTP daemon to apply changes and verify if NTP has open sockets in your system network table using [netstat command][15]combined with [grep filter][16]. + +``` +$ sudo chown root:ntp /var/lib/samba/ntp_signd/ +$ sudo chmod 750 /var/lib/samba/ntp_signd/ +$ sudo systemctl restart ntp +$ sudo netstat –tulpn | grep ntp +``` +[ + ![Grant Permission to NTP](http://www.tecmint.com/wp-content/uploads/2016/12/Grant-Permission-to-NTP.png) +][17] + +Grant Permission to NTP + +Use the ntpq command line utility to monitor NTP daemon along with the `-p` flag in order to print a summary of peers state. + +``` +$ ntpq -p +``` +[ + ![Monitor NTP Server Pool](http://www.tecmint.com/wp-content/uploads/2016/12/Monitor-NTP-Server-Pool.png) +][18] + +Monitor NTP Server Pool + +### Step 2: Troubleshoot NTP Time Issues + +6. Sometimes the NTP daemon gets stuck in calculations while trying to synchronize time with an upstream ntp server peer, resulting the following error messages when manually trying to force time synchronization by running ntpdate utility on a client side: + +``` +# ntpdate -qu adc1 +ntpdate[4472]: no server suitable for synchronization found +``` +[ + ![NTP Time Synchronization Error](http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Time-Synchronization-Error.png) +][19] + +NTP Time Synchronization Error + +when using ntpdate command with `-d` flag. + +``` +# ntpdate -d adc1.tecmint.lan +Server dropped: Leap not in sync +``` +[ + ![NTP Server Dropped Leap Not in Sync](http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Server-Dropped-Leap-Not-Sync.png) +][20] + +NTP Server Dropped Leap Not in Sync + +7. To circumvent this issue, use the following trick to solve the problem: On the server, stop the NTP service and use the ntpdate client utility to manually force time synchronization with an external peer using the `-b` flag as shown below: + +``` +# systemctl stop ntp.service +# ntpdate -b 2.ro.pool.ntp.org [your_ntp_peer] +# systemctl start ntp.service +# systemctl status ntp.service +``` +[ + ![Force NTP Time Synchronization](http://www.tecmint.com/wp-content/uploads/2016/12/Force-NTP-Time-Synchronization.png) +][21] + +Force NTP Time Synchronization + +8. After the time has been accurately synchronized, start the NTP daemon on the server and verify from the client side if the service is ready to serve time for local clients by issuing the following command: + +``` +# ntpdate -du adc1.tecmint.lan [your_adc_server] +``` +[ + ![Verify NTP Time Synchronization](http://www.tecmint.com/wp-content/uploads/2016/12/Verify-NTP-Time-Synchronization.png) +][22] + +Verify NTP Time Synchronization + +By now, NTP server should work as expected. + +### Step 3: Join Windows 10 into Realm + +9. As we saw in our previous tutorial, [Samba4 Active Directory can be managed from command line using samba-tool][23] utility interface which can be accessed directly from server’s VTY console or remotely connected through SSH. + +Other, more intuitively and flexible alternative, would be to manage our Samba4 AD Domain Controller via Microsoft Remote Server Administration Tools (RSAT) from a Windows workstation integrated into the domain. These tools are available in almost all modern Windows systems. + +The process of joining Windows 10 or older versions of Microsoft OS into Samba4 AD DC is very simple. First, make sure that your Windows 10 workstation has the correct Samba4 DNS IP address configured in order to query the proper realm resolver. + +Open Control panel -> Network and Internet -> Network and Sharing Center -> Ethernet card -> Properties -> IPv4 -> Properties -> Use the following DNS server addresses and manually place Samba4 AD IP Address to the network interface as illustrated in the below screenshots. + +[ + ![join Windows to Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-to-Samba4-AD.png) +][24] + +join Windows to Samba4 AD + +[ + ![Add DNS and Samba4 AD IP Address](http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-and-Samba4-AD-IP-Address.png) +][25] + +Add DNS and Samba4 AD IP Address + +Here, 192.168.1.254 is the IP Address of Samba4 AD Domain Controller responsible for DNS resolution. Replace the IP Address accordingly. + +10. Next, apply the network settings by hitting on OK button, open a Command Prompt and issue a pingagainst the generic domain name and Samba4 host FQDN in order to test if the realm is reachable through DNS resolution. + +``` +ping tecmint.lan +ping adc1.tecmint.lan +``` +[ + ![Check Network Connectivity Between Windows and Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/12/Check-Samba4-AD-from-Windows.png) +][26] + +Check Network Connectivity Between Windows and Samba4 AD + +11. If the resolver correctly responds to Windows client DNS queries, then, you need to assure that the time is accurately synchronized with the realm. + +Open Control Panel -> Clock, Language and Region -> Set Time and Date -> Internet Time tab -> Change Settings and write your domain name on Synchronize with and Internet time server field. + +Hit on Update Now button to force time synchronization with the realm and hit OK to close the window. + +[ + ![Synchronize Time with Internet Server](http://www.tecmint.com/wp-content/uploads/2016/12/Synchronize-Time-with-Internet-Server.png) +][27] + +Synchronize Time with Internet Server + +12. Finally, join the domain by opening System Properties -> Change -> Member of Domain, write your domain name, hit OK, enter your domain administrative account credentials and hit OK again. + +A new pop-up window should open informing you’re a member of the domain. Hit OK to close the pop-up window and reboot the machine in order to apply domain changes. + +The below screenshot will illustrate these steps. + +[ + ![Join Windows Domain to Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-Domain-to-Samba4-AD.png) +][28] + +Join Windows Domain to Samba4 AD + +[ + ![Enter Domain Administration Login](http://www.tecmint.com/wp-content/uploads/2016/12/Enter-Domain-Administration-Login.png) +][29] + +Enter Domain Administration Login + +[ + ![Domain Joined to Samba4 AD Confirmation](http://www.tecmint.com/wp-content/uploads/2016/12/Domain-Joined-to-Samba4-AD.png) +][30] + +Domain Joined to Samba4 AD Confirmation + +[ + ![Restart Windows Server for Changes](http://www.tecmint.com/wp-content/uploads/2016/12/Restart-Windows-Server-for-Changes.png) +][31] + +Restart Windows Server for Changes + +13. After restart, hit on Other user and logon to Windows with a Samba4 domain account with administrative privileges and you should be ready to move to the next step. + +[ + ![Login to Windows Using Samba4 AD Account](http://www.tecmint.com/wp-content/uploads/2016/12/Login-to-Windows-Using-Samba4-AD-Account.png) +][32] + +Login to Windows Using Samba4 AD Account + +#### Step 4: Administer Samba4 AD DC with RSAT + +14. Microsoft Remote Server Administration Tools (RSAT), which will be further used to administer Samba4 Active Directory, can be downloaded from the following links, depending on your Windows version: + +1. Windows 10: [https://www.microsoft.com/en-us/download/details.aspx?id=45520][4] +2. Windows 8.1: [http://www.microsoft.com/en-us/download/details.aspx?id=39296][5] +3. Windows 8: [http://www.microsoft.com/en-us/download/details.aspx?id=28972][6] +4. Windows 7: [http://www.microsoft.com/en-us/download/details.aspx?id=7887][7] + +Once the update standalone installer package for Windows 10 has been downloaded on your system, run the installer, wait for the installation to finish and restart the machine to apply all updates. + +After reboot, open Control Panel -> Programs (Uninstall a Program) -> Turn Windows features on or offand check all Remote Server Administration Tools. + +Click OK to start the installation and after the installation process finishes, restart the system. + +[ + ![Administer Samba4 AD from Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Administer-Samba4-AD-from-Windows.png) +][33] + +Administer Samba4 AD from Windows + +15. To access RSAT tools go to Control Panel -> System and Security -> Administrative Tools. + +The tools can also be found in the Administrative tools menu from start menu. Alternatively, you can open Windows MMC and add Snap-ins using the File -> Add/Remove Snap-in menu. + +[ + ![Access Remote Server Administration Tools](http://www.tecmint.com/wp-content/uploads/2016/12/Access-Remote-Server-Administration-Tools.png) +][34] + +Access Remote Server Administration Tools + +The most used tools, such as AD UC, DNS and Group Policy Management can be launched directly from Desktop by creating shortcuts using Send to feature from menu. + +16. You can verify RSAT functionality by opening AD UC and list domain Computers (newly joined windows machine should appear in the list), create a new Organizational Unit or a new user or group. + +Verify if the users or groups had been properly created by issuing wbinfo command from Samba4 server side. + +[ + ![Active Directory Users and Computers](http://www.tecmint.com/wp-content/uploads/2016/12/Active-Directory-Users-and-Computers.png) +][35] + +Active Directory Users and Computers + +[ + ![Create Organizational Units and New Users](http://www.tecmint.com/wp-content/uploads/2016/12/Create-Organizational-Unit-and-Users.png) +][36] + +Create Organizational Units and New Users + +[ + ![Confirm Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/12/Confirm-Samba4-AD-Users.png) +][37] + +Confirm Samba4 AD Users + +That’s it! On the next part of this topic we will cover other important aspects of a Samba4 Active Directory which can be administered via RSAT, such as, how to manage DNS server, add DNS records and create a reverse DNS lookup zone, how to manage and apply domain policy and how to create an interactive logon banner for your domain users. + +------ + +作者简介:I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting. + + +-------------------------------------------------------------------------------- + +via: http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ + +作者:[Matei Cezar ][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/cezarmatei/ +[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ +[2]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ +[3]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/ +[4]:https://www.microsoft.com/en-us/download/details.aspx?id=45520 +[5]:http://www.microsoft.com/en-us/download/details.aspx?id=39296 +[6]:http://www.microsoft.com/en-us/download/details.aspx?id=28972 +[7]:http://www.microsoft.com/en-us/download/details.aspx?id=7887 +[8]:http://www.tecmint.com/category/samba4-active-directory/ +[9]:http://www.tecmint.com/how-to-synchronize-time-with-ntp-server-in-ubuntu-linux-mint-xubuntu-debian/ +[10]:http://www.tecmint.com/wp-content/uploads/2016/12/Install-NTP-on-Ubuntu.png +[11]:http://www.pool.ntp.org/en/ +[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-NTP-Server-in-Ubuntu.png +[13]:http://www.tecmint.com/wp-content/uploads/2016/12/Sync-AD-with-NTP.png +[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Query-Client-to-NTP-Server.png +[15]:http://www.tecmint.com/20-netstat-commands-for-linux-network-management/ +[16]:http://www.tecmint.com/12-practical-examples-of-linux-grep-command/ +[17]:http://www.tecmint.com/wp-content/uploads/2016/12/Grant-Permission-to-NTP.png +[18]:http://www.tecmint.com/wp-content/uploads/2016/12/Monitor-NTP-Server-Pool.png +[19]:http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Time-Synchronization-Error.png +[20]:http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Server-Dropped-Leap-Not-Sync.png +[21]:http://www.tecmint.com/wp-content/uploads/2016/12/Force-NTP-Time-Synchronization.png +[22]:http://www.tecmint.com/wp-content/uploads/2016/12/Verify-NTP-Time-Synchronization.png +[23]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ +[24]:http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-to-Samba4-AD.png +[25]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-and-Samba4-AD-IP-Address.png +[26]:http://www.tecmint.com/wp-content/uploads/2016/12/Check-Samba4-AD-from-Windows.png +[27]:http://www.tecmint.com/wp-content/uploads/2016/12/Synchronize-Time-with-Internet-Server.png +[28]:http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-Domain-to-Samba4-AD.png +[29]:http://www.tecmint.com/wp-content/uploads/2016/12/Enter-Domain-Administration-Login.png +[30]:http://www.tecmint.com/wp-content/uploads/2016/12/Domain-Joined-to-Samba4-AD.png +[31]:http://www.tecmint.com/wp-content/uploads/2016/12/Restart-Windows-Server-for-Changes.png +[32]:http://www.tecmint.com/wp-content/uploads/2016/12/Login-to-Windows-Using-Samba4-AD-Account.png +[33]:http://www.tecmint.com/wp-content/uploads/2016/12/Administer-Samba4-AD-from-Windows.png +[34]:http://www.tecmint.com/wp-content/uploads/2016/12/Access-Remote-Server-Administration-Tools.png +[35]:http://www.tecmint.com/wp-content/uploads/2016/12/Active-Directory-Users-and-Computers.png +[36]:http://www.tecmint.com/wp-content/uploads/2016/12/Create-Organizational-Unit-and-Users.png +[37]:http://www.tecmint.com/wp-content/uploads/2016/12/Confirm-Samba4-AD-Users.png +[38]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# +[39]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# +[40]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# +[41]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# +[42]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/#comments From 29eb5b5a5376c2c0185ade09ac1a0ca51cbd6d50 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 04:26:08 +0800 Subject: [PATCH 058/181] =?UTF-8?q?20161229-5=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ... and Group Policy from Windows – Part 4.md | 220 ++++++++++++++++++ 1 file changed, 220 insertions(+) create mode 100644 sources/tech/Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md diff --git a/sources/tech/Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md b/sources/tech/Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md new file mode 100644 index 0000000000..d91b2915b2 --- /dev/null +++ b/sources/tech/Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md @@ -0,0 +1,220 @@ +Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4 +============================================================ + +Continuing the previous tutorial on [how to administer Samba4 from Windows 10 via RSAT][4], in this part we’ll see how to remotely manage our Samba AD Domain controller DNS server from Microsoft DNS Manager, how to create DNS records, how to create a Reverse Lookup Zone and how to create a domain policy via Group Policy Management tool. + +#### Requirements + +1. [Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1][1] +2. [Manage Samba4 AD Infrastructure from Linux Command Line – Part 2][2] +3. [Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3][3] + +### Step 1: Manage Samba DNS Server + +Samba4 AD DC uses an internal DNS resolver module which is created during the initial domain provision (if BIND9 DLZ module is not specifically used). + +Samba4 internal DNS module supports the basic features needed for an AD Domain Controller. The domain DNS server can be managed in two ways, directly from command line through samba-tool interface or remotely from a Microsoft workstation which is part of the domain via RSAT DNS Manager. + +Here, we’ll cover the second method because it’s more intuitive and not so prone to errors. + +1. To administer the DNS service for your domain controller via RSAT, go to your Windows machine, open Control Panel -> System and Security -> Administrative Tools and run DNS Manager utility. + +Once the tool opens, it will ask you on what DNS running server you want to connect. Choose The following computer, type your domain name in the field (or IP Address or FQDN can be used as well), check the box that says ‘Connect to the specified computer now’ and hit OK to open your Samba DNSservice. + +[ + ![Connect Samba4 DNS on Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Connect-Samba4-DNS-on-Windows.png) +][5] + +Connect Samba4 DNS on Windows + +2. In order to add a DNS record (as an example we will add an `A` record that will point to our LAN gateway), navigate to domain Forward Lookup Zone, right click on the right plane and choose New Host(`A` or `AAA`). + +[ + ![Add DNS A Record on Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-A-Record.png) +][6] + +Add DNS A Record on Windows + +3. On the New host opened window, type the name and the IP Address of your DNS resource. The FQDNwill be automatically written for you by DNS utility. When finished, hit the Add Host button and a pop-up window will inform you that your DNS A record has been successfully created. + +Make sure you add DNS A records only for those resources in your network [configured with static IP Addresses][7]. Don’t add DNS A records for hosts which are configured to acquire network configurations from a DHCP server or their IP Addresses change often. + +[ + ![Configure Samba Host on Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Host-on-Windows.png) +][8] + +Configure Samba Host on Windows + +To update a DNS record just double click on it and write your modifications. To delete the record right click on the record and choose delete from the menu. + +In the same way you can add other types of DNS records for your domain, such as CNAME (also known as DNS alias record) MX records (very useful for mail servers) or other type of records (SPF, TXT, SRVetc). + +### Step 2: Create a Reverse Lookup Zone + +By default, Samba4 Ad DC doesn’t automatically add a reverse lookup zone and PTR records for your domain because these types of records are not crucial for a domain controller to function correctly. + +Instead, a DNS reverse zone and its PTR records are crucial for the functionality of some important network services, such as an e-mail service because these type of records can be used to verify the identity of clients requesting a service. + +Practically, PTR records are just the opposite of standard DNS records. The clients know the IP address of a resource and queries the DNS server to find out their registered DNS name. + +4. In order to a create a reverse lookup zone for Samba AD DC, open DNS Manager, right click on Reverse Lookup Zone from the left plane and choose New Zone from the menu. + +[ + ![Create Reverse Lookup DNS Zone](http://www.tecmint.com/wp-content/uploads/2016/12/Create-Reverse-Lookup-DNS-Zone.png) +][9] + +Create Reverse Lookup DNS Zone + +5. Next, hit Next button and choose Primary zone from Zone Type Wizard. + +[ + ![Select DNS Zone Type](http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-Zone-Type.png) +][10] + +Select DNS Zone Type + +6. Next, choose To all DNS servers running on domain controllers in this domain from the AD Zone Replication Scope, chose IPv4 Reverse Lookup Zone and hit Next to continue. + +[ + ![Select DNS for Samba Domain Controller](http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-for-Samba-Domain-Controller.png) +][11] + +Select DNS for Samba Domain Controller + +[ + ![Add Reverse Lookup Zone Name](http://www.tecmint.com/wp-content/uploads/2016/12/Add-Reverse-Lookup-Zone-Name.png) +][12] + +Add Reverse Lookup Zone Name + +7. Next, type the IP network address for your LAN in Network ID filed and hit Next to continue. + +All PTR records added in this zone for your resources will point back only to 192.168.1.0/24 network portion. If you want to create a PTR record for a server that does not reside in this network segment (for example mail server which is located in 10.0.0.0/24 network), then you’ll need to create a new reverse lookup zone for that network segment as well. + +[ + ![Add IP Address of Reverse Lookup DNS Zone](http://www.tecmint.com/wp-content/uploads/2016/12/Add-IP-Address-of-Reverse-DNS-Zone.png) +][13] + +Add IP Address of Reverse Lookup DNS Zone + +8. On the next screen choose to Allow only secure dynamic updates, hit next to continue and, finally hit on finish to complete zone creation. + +[ + ![Enable Secure Dynamic Updates](http://www.tecmint.com/wp-content/uploads/2016/12/Enable-Secure-Dynamic-Updates.png) +][14] + +Enable Secure Dynamic Updates + +[ + ![New DNS Zone Summary](http://www.tecmint.com/wp-content/uploads/2016/12/New-DNS-Zone-Summary.png) +][15] + +New DNS Zone Summary + +9. At this point you have a valid DNS reverse lookup zone configured for your domain. In order to add a PTR record in this zone, right click on the right plane and choose to create a PTR record for a network resource. + +In this case we’ve created a pointer for our gateway. In order to test if the record was properly added and works as expected from client’s point of view, open a Command Prompt and issue a nslookup query against the name of the resource and another query for its IP Address. + +Both queries should return the correct answer for your DNS resource. + +``` +nslookup gate.tecmint.lan +nslookup 192.168.1.1 +ping gate +``` +[ + ![Add DNS PTR Record and Query PTR](http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-PTR-Record-and-Query.png) +][16] + +Add DNS PTR Record and Query PTR + +### Step 3: Domain Group Policy Management + +10. An important aspect of a domain controller is its ability to control system resources and security from a single central point. This type of task can be easily achieved in a domain controller with the help of Domain Group Policy. + +Unfortunately, the only way to edit or manage group policy in a samba domain controller is through RSAT GPM console provided by Microsoft. + +In the below example we’ll see how simple can be to manipulate group policy for our samba domain in order to create an interactive logon banner for our domain users. + +In order to access group policy console, go to Control Panel -> System and Security -> Administrative Tools and open Group Policy Management console. + +Expand the fields for your domain and right click on Default Domain Policy. Choose Edit from the menu and a new windows should appear. + +[ + ![Manage Samba Domain Group Policy](http://www.tecmint.com/wp-content/uploads/2016/12/Manage-Samba-Domain-Group-Policy.png) +][17] + +Manage Samba Domain Group Policy + +11. On Group Policy Management Editor window go to Computer Configuration -> Policies -> Windows Settings -> Security settings -> Local Policies -> Security Options and a new options list should appear in the right plane. + +In the right plane search and edit with your custom settings following two entries presented on the below screenshot. + +[ + ![Configure Samba Domain Group Policy](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Domain-Group-Policy.png) +][18] + +Configure Samba Domain Group Policy + +12. After finishing editing the two entries, close all windows, open an elevated Command prompt and force group policy to apply on your machine by issuing the below command: + +``` +gpupdate /force +``` +[ + ![Update Samba Domain Group Policy](http://www.tecmint.com/wp-content/uploads/2016/12/Update-Samba-Domain-Group-Policy.png) +][19] + +Update Samba Domain Group Policy + +13. Finally, reboot your computer and you’ll see the logon banner in action when you’ll try to perform logon. + +[ + ![Samba4 AD Domain Controller Logon Banner](http://www.tecmint.com/wp-content/uploads/2016/12/Samba4-Domain-Controller-User-Login.png) +][20] + +Samba4 AD Domain Controller Logon Banner + +That’s all! Group Policy is a very complex and sensitive subject and should be treated with maximum care by system admins. Also, be aware that group policy settings won’t apply in any way to Linux systems integrated into the realm. + +------ + +作者简介:I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting. + + +-------------------------------------------------------------------------------- + +via: http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/ + +作者:[Matei Cezar ][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/cezarmatei/ +[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ +[2]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ +[3]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ +[4]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ +[5]:http://www.tecmint.com/wp-content/uploads/2016/12/Connect-Samba4-DNS-on-Windows.png +[6]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-A-Record.png +[7]:http://www.tecmint.com/set-add-static-ip-address-in-linux/ +[8]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Host-on-Windows.png +[9]:http://www.tecmint.com/wp-content/uploads/2016/12/Create-Reverse-Lookup-DNS-Zone.png +[10]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-Zone-Type.png +[11]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-for-Samba-Domain-Controller.png +[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-Reverse-Lookup-Zone-Name.png +[13]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-IP-Address-of-Reverse-DNS-Zone.png +[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Enable-Secure-Dynamic-Updates.png +[15]:http://www.tecmint.com/wp-content/uploads/2016/12/New-DNS-Zone-Summary.png +[16]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-PTR-Record-and-Query.png +[17]:http://www.tecmint.com/wp-content/uploads/2016/12/Manage-Samba-Domain-Group-Policy.png +[18]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Domain-Group-Policy.png +[19]:http://www.tecmint.com/wp-content/uploads/2016/12/Update-Samba-Domain-Group-Policy.png +[20]:http://www.tecmint.com/wp-content/uploads/2016/12/Samba4-Domain-Controller-User-Login.png +[21]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# +[22]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# +[23]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# +[24]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# +[25]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/#comments From d922be7f77f19925410ad8761446ef87196e35ca Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 04:34:23 +0800 Subject: [PATCH 059/181] =?UTF-8?q?20161229-6=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...n Email Server on Ubuntu Linux - Part 2.md | 254 ++++++++++++++++++ 1 file changed, 254 insertions(+) create mode 100644 sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md diff --git a/sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md b/sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md new file mode 100644 index 0000000000..4f0790c05f --- /dev/null +++ b/sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md @@ -0,0 +1,254 @@ +Building an Email Server on Ubuntu Linux, Part 2 +============================================================ + +### [dovecot-email.jpg][4] + + ![Dovecot email](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/dovecot-email.jpg?itok=tY4veggw "Dovecot email") +Part 2 in this tutorial shows how to use Dovecot to move messages off your Postfix server and into your users' email inboxes.[Creative Commons Zero][2]Pixabay + +In [part 1][5], we installed and tested the Postfix SMTP server. Postfix, or any SMTP server, isn't a complete mail server because all it does is move messages between SMTP servers. We need Dovecot to move messages off your Postfix server and into your users' email inboxes. + +Dovecot supports the two standard mail protocols, IMAP (Internet Message Access Protocol) and POP3 (Post Office Protocol). An IMAP server retains all messages on the server. Your users have the option to download messages to their computers or access them only on the server. IMAP is convenient for users who have multiple machines. It's more work for you because you have to ensure that your server is always available, and IMAP servers require a lot of storage and memory. + +POP3 is an older protocol. A POP3 server can serve many more users than an IMAP server because messages are downloaded to your users' computers. Most mail clients have the option to leave messages on the server for a certain number of days, so POP3 can behave somewhat like IMAP. But it's not IMAP, and when you do this messages are often downloaded multiple times or deleted unexpectedly. + +### Install Dovecot + +Fire up your trusty Ubuntu system and install Dovecot: + +``` + +$ sudo apt-get install dovecot-imapd dovecot-pop3d +``` + +It installs with a working configuration and automatically starts after installation, which you can confirm with `ps ax | grep dovecot`: + +``` + +$ ps ax | grep dovecot +15988 ? Ss 0:00 /usr/sbin/dovecot +15990 ? S 0:00 dovecot/anvil +15991 ? S 0:00 dovecot/log +``` + +Open your main Postfix configuration file, `/etc/postfix/main.cf`, and make sure it is configured for maildirs and not mbox mail stores; mbox is single giant file for each user, while maildir gives each message its own file. Lots of little files are more stable and easier to manage than giant bloaty files. Add these two lines; the second line tells Postfix you want maildir format, and to create a `.Mail` directory for every user in their home directories. You can name this directory anything you want, it doesn't have to be `.Mail`: + +``` + +mail_spool_directory = /var/mail +home_mailbox = .Mail/ +``` + +Now tweak your Dovecot configuration. First rename the original `dovecot.conf` file to get it out of the way, because it calls a host of `conf.d` files and it is better to keep things simple while you're learning: + +``` + +$ sudo mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot-oldconf +``` + +Now create a clean new `/etc/dovecot/dovecot.conf` with these contents: + +``` + +disable_plaintext_auth = no +mail_location = maildir:~/.Mail +namespace inbox { + inbox = yes + mailbox Drafts { + special_use = \Drafts + } + mailbox Sent { + special_use = \Sent + } + mailbox Trash { + special_use = \Trash + } +} +passdb { + driver = pam +} +protocols = " imap pop3" +ssl = no +userdb { + driver = passwd +} +``` + +Note that `mail_location = maildir` must match the `home_mailbox` parameter in `main.cf`. Save your changes and reload both Postfix and Dovecot's configurations: + +``` + +$ sudo postfix reload +$ sudo dovecot reload +``` + +### Fast Way to Dump Configurations + +Use these commands to quickly review your Postfix and Dovecot configurations: + +``` + +$ postconf -n +$ doveconf -n +``` + +### Test Dovecot + +Now let's put telnet to work again, and send ourselves a test message. The lines in bold are the commands that you type. `studio` is my server's hostname, so of course you must use your own: + +``` + +$ telnet studio 25 +Trying 127.0.1.1... +Connected to studio. +Escape character is '^]'. +220 studio.router ESMTP Postfix (Ubuntu) +EHLO studio +250-studio.router +250-PIPELINING +250-SIZE 10240000 +250-VRFY +250-ETRN +250-STARTTLS +250-ENHANCEDSTATUSCODES +250-8BITMIME +250-DSN +250 SMTPUTF8 +mail from: tester@test.net +250 2.1.0 Ok +rcpt to: carla@studio +250 2.1.5 Ok +data +354 End data with .Date: November 25, 2016 +From: tester +Message-ID: first-test +Subject: mail server test +Hi carla, +Are you reading this? Let me know if you didn't get this. +. +250 2.0.0 Ok: queued as 0C261A1F0F +quit +221 2.0.0 Bye +Connection closed by foreign host. +``` + +Now query Dovecot to fetch your new message. Log in using your Linux username and password: + +``` + +$ telnet studio 110 +Trying 127.0.0.1... +Connected to studio. +Escape character is '^]'. ++OK Dovecot ready. +user carla ++OK +pass password ++OK Logged in. +stat ++OK 2 809 +list ++OK 2 messages: +1 383 +2 426 +. +retr 2 ++OK 426 octets +Return-Path: +X-Original-To: carla@studio +Delivered-To: carla@studio +Received: from studio (localhost [127.0.0.1]) + by studio.router (Postfix) with ESMTP id 0C261A1F0F + for ; Wed, 30 Nov 2016 17:18:57 -0800 (PST) +Date: November 25, 2016 +From: tester@studio.router +Message-ID: first-test +Subject: mail server test + +Hi carla, +Are you reading this? Let me know if you didn't get this. +. +quit ++OK Logging out. +Connection closed by foreign host. +``` + +Take a moment to compare the message entered in the first example, and the message received in the second example. It is easy to spoof the return address and date, but Postfix is not fooled. Most mail clients default to displaying a minimal set of headers, but you need to read the full headers to see the true backtrace. + +You can also read your messages by looking in your `~/Mail/cur` directory. They are plain text. Mine has two test messages: + +``` + +$ ls .Mail/cur/ +1480540325.V806I28e0229M351743.studio:2,S +1480555224.V806I28e000eM41463.studio:2,S +``` + +### Testing IMAP + +Our Dovecot configuration enables both POP3 and IMAP, so let's use telnet to test IMAP. + +``` + +$ telnet studio imap2 +Trying 127.0.1.1... +Connected to studio. +Escape character is '^]'. +* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS +ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. +A1 LOGIN carla password +A1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS +ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS +THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT +CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE +QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS +BINARY MOVE SPECIAL-USE] Logged in +A2 LIST "" "*" +* LIST (\HasNoChildren) "." INBOX +A2 OK List completed (0.000 + 0.000 secs). +A3 EXAMINE INBOX +* FLAGS (\Answered \Flagged \Deleted \Seen \Draft) +* OK [PERMANENTFLAGS ()] Read-only mailbox. +* 2 EXISTS +* 0 RECENT +* OK [UIDVALIDITY 1480539462] UIDs valid +* OK [UIDNEXT 3] Predicted next UID +* OK [HIGHESTMODSEQ 1] Highest +A3 OK [READ-ONLY] Examine completed (0.000 + 0.000 secs). +A4 logout +* BYE Logging out +A4 OK Logout completed. +Connection closed by foreign host +``` + +### Thunderbird Mail Client + +This screenshot in Figure 1 shows what my messages look like in a graphical mail client on another host on my LAN. + +### [thunderbird-mail.png][3] + + ![thunderbird mail](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/thunderbird-mail.png?itok=IkWK5Ti_ "thunderbird mail") + +Figure 1: Thunderbird mail.[Used with permission][1] + +At this point, you have a working IMAP and POP3 mail server, and you know how to test your server. Your users will choose which protocol they want to use when they set up their mail clients. If you want to support only one mail protocol, then name just the one in your Dovecot configuration. + +However, you are far from finished. This is a very simple, wide-open setup with no encryption. It also works only for users on the same system as your mail server. This is not scalable and has some security risks, such as no protection for passwords. Come back [next week ][6]to learn how to create mail users that are separate from system users, and how to add encryption. + +-------------------------------------------------------------------------------- + +via: https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-part-2 + +作者:[ CARLA SCHRODER][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linux.com/users/cschroder +[1]:https://www.linux.com/licenses/category/used-permission +[2]:https://www.linux.com/licenses/category/creative-commons-zero +[3]:https://www.linux.com/files/images/thunderbird-mailpng +[4]:https://www.linux.com/files/images/dovecot-emailjpg +[5]:https://www.linux.com/learn/how-build-email-server-ubuntu-linux +[6]:https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-part-3 From 1f76b2f25587ce572e874768c4bde665358ef780 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 04:35:40 +0800 Subject: [PATCH 060/181] =?UTF-8?q?20161229-7=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...n Email Server on Ubuntu Linux - Part 3.md | 220 ++++++++++++++++++ 1 file changed, 220 insertions(+) create mode 100644 sources/tech/Building an Email Server on Ubuntu Linux - Part 3.md diff --git a/sources/tech/Building an Email Server on Ubuntu Linux - Part 3.md b/sources/tech/Building an Email Server on Ubuntu Linux - Part 3.md new file mode 100644 index 0000000000..aeee0b4273 --- /dev/null +++ b/sources/tech/Building an Email Server on Ubuntu Linux - Part 3.md @@ -0,0 +1,220 @@ +Building an Email Server on Ubuntu Linux, Part 3 +============================================================ + +### [mail-server.jpg][2] + + ![Mail server](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/mail-server.jpg?itok=Ox1SCDsV "Mail server") +In the final part of this tutorial series, we go into detail on how to set up virtual users and mailboxes in Dovecot and Postfix.[Creative Commons Zero][1]pixabay + +Welcome back, me hearty Linux syadmins! In [part 1][3] and [part 2][4] of this series, we learned to how to put Postfix and Dovecot together to make a nice IMAP and POP3 mail server. Now we will learn to make virtual users so that we can manage all of our users in Dovecot. + +### Sorry, No SSL. Yet. + +I know I promised to show you how to set up a proper SSL-protected server. Unfortunately, I underestimated how large that topic is. So, I will realio trulio write a comprehensive how-to by next month. + +For today, in this final part of this series, we'll go into detail on how to set up virtual users and mailboxes in Dovecot and Postfix. It's a bit weird to wrap your mind around, so the following examples are as simple as I can make them. We'll use plain flat files and plain-text authentication. You have the options of using database back ends and nice strong forms of encrypted authentication; see the links at the end for more information on these. + +### Virtual Users + +You want virtual users on your email server and not Linux system users. Using Linux system users does not scale, and it exposes their logins, and your Linux server, to unnecessary risk. Setting up virtual users requires editing configuration files in both Postfix and Dovecot. We'll start with Postfix. First, we'll start with a clean, simplified `/etc/postfix/main.cf`. Move your original `main.cf` out of the way and create a new clean one with these contents: + +``` + +compatibility_level=2 +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu/GNU) +biff = no +append_dot_mydomain = no + +myhostname = localhost +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = $myhostname +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all + +virtual_mailbox_domains = /etc/postfix/vhosts.txt +virtual_mailbox_base = /home/vmail +virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt +virtual_minimum_uid = 1000 +virtual_uid_maps = static:5000 +virtual_gid_maps = static:5000 +virtual_transport = lmtp:unix:private/dovecot-lmtp0 +``` + +You may copy this exactly, except for the `192.168.0.0/24` parameter for `mynetworks`, as this should reflect your own local subnet. + +Next, create the user and group `vmail`, which will own your virtual mailboxes. The virtual mailboxes are stored in `vmail's` home directory. + +``` + +$ sudo groupadd -g 5000 vmail +$ sudo useradd -m -u 5000 -g 5000 -s /bin/bash vmail +``` + +Then reload the Postfix configurations: + +``` + +$ sudo postfix reload +[sudo] password for carla: +postfix/postfix-script: refreshing the Postfix mail system +``` + +### Dovecot Virtual Users + +We'll use Dovecot's `lmtp` protocol to connect it to Postfix. You probably need to install it: + +``` + +$ sudo apt-get install dovecot-lmtpd +``` + +The last line in our example `main.cf` references `lmtp`. Copy this example `/etc/dovecot/dovecot.conf`, replacing your existing file. Again, we are using just this single file, rather than calling the files in `/etc/dovecot/conf.d`. + +``` + +protocols = imap pop3 lmtp +log_path = /var/log/dovecot.log +info_log_path = /var/log/dovecot-info.log +ssl = no +disable_plaintext_auth = no +mail_location = maildir:~/.Mail +pop3_uidl_format = %g +auth_verbose = yes +auth_mechanisms = plain + +passdb { + driver = passwd-file + args = /etc/dovecot/passwd +} + +userdb { + driver = static + args = uid=vmail gid=vmail home=/home/vmail/studio/%u +} + +service lmtp { + unix_listener /var/spool/postfix/private/dovecot-lmtp { + group = postfix + mode = 0600 + user = postfix + } +} + +protocol lmtp { + postmaster_address = postmaster@studio +} +service lmtp { + user = vmail +} +``` + +At last, you can create the file that holds your users and passwords, `/etc/dovecot/passwd`. For simple plain text authorization we need only our users' full email addresses and passwords: + +``` + +alrac@studio:{PLAIN}password +layla@studio:{PLAIN}password +fred@studio:{PLAIN}password +molly@studio:{PLAIN}password +benny@studio:{PLAIN}password +``` + +The Dovecot virtual users are independent of the Postfix virtual users, so you will manage your users in Dovecot. Save all of your changes and restart Postfix and Dovecot: + +``` + +$ sudo service postfix restart +$ sudo service dovecot restart +``` + +Now let's use good old telnet to see if Dovecot is set up correctly. + +``` + +$ telnet studio 110 +Trying 127.0.1.1... +Connected to studio. +Escape character is '^]'. ++OK Dovecot ready. +user molly@studio ++OK +pass password ++OK Logged in. +quit ++OK Logging out. +Connection closed by foreign host. +``` + +So far so good! Now let's send some test messages to our users with the `mail` command. Make sure to use the whole user's email address and not just the username. + +``` + +$ mail benny@studio +Subject: hello and welcome! +Please enjoy your new mail account! +. +``` + +The period on the last line sends your message. Let's see if it landed in the correct mailbox. + +``` + +$ sudo ls -al /home/vmail/studio/benny@studio/.Mail/new +total 16 +drwx------ 2 vmail vmail 4096 Dec 14 12:39 . +drwx------ 5 vmail vmail 4096 Dec 14 12:39 .. +-rw------- 1 vmail vmail 525 Dec 14 12:39 1481747995.M696591P5790.studio,S=525,W=540 +``` + +And there it is. It is a plain text file that we can read: + +``` +$ less 1481747995.M696591P5790.studio,S=525,W=540 +Return-Path: +Delivered-To: benny@studio +Received: from localhost + by studio (Dovecot) with LMTP id V01ZKRuuUVieFgAABiesew + for ; Wed, 14 Dec 2016 12:39:55 -0800 +Received: by localhost (Postfix, from userid 1000) + id 9FD9CA1F58; Wed, 14 Dec 2016 12:39:55 -0800 (PST) +Date: Wed, 14 Dec 2016 12:39:55 -0800 +To: benny@studio +Subject: hello and welcome! +User-Agent: s-nail v14.8.6 +Message-Id: <20161214203955.9FD9CA1F58@localhost> +From: carla@localhost (carla) + +Please enjoy your new mail account! +``` + +You could also use telnet for testing, as in the previous segments of this series, and set up accounts in your favorite mail client, such as Thunderbird, Claws-Mail, or KMail. + +### Troubleshooting + +When things don't work, check your logfiles (see the configuration examples), and run `journalctl -xe`. This should give you all the information you need to spot typos, uninstalled packages, and nice search terms for Google. + +### What Next? + +Assuming your LAN name services are correctly configured, you now have a nice usable LAN mail server. Obviously, sending messages in plain text is not optimal, and an absolute no-no for Internet mail. See [Dovecot SSL configuration][5] and [Postfix TLS Support][6]. [VirtualUserFlatFilesPostfix][7] covers TLS and database back ends. And watch for my upcoming SSL how-to. Really. + +-------------------------------------------------------------------------------- + +via: https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-part-3 + +作者:[ CARLA SCHRODER][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linux.com/users/cschroder +[1]:https://www.linux.com/licenses/category/creative-commons-zero +[2]:https://www.linux.com/files/images/mail-serverjpg +[3]:https://www.linux.com/learn/how-build-email-server-ubuntu-linux +[4]:https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-part-2 +[5]:http://wiki.dovecot.org/SSL/DovecotConfiguration +[6]:http://www.postfix.org/TLS_README.html +[7]:http://www.postfix.org/TLS_README.html From aba8966ae12986d67f95d1738a06d007d2d66cfa Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 09:10:14 +0800 Subject: [PATCH 061/181] translating --- sources/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md b/sources/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md index 9098c3d987..d16c39d1dd 100644 --- a/sources/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md +++ b/sources/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md @@ -1,3 +1,5 @@ +translating---geekpi + # LXD 2.0: LXD and Juju [10/12] This is the tenth blog post in [this series about LXD 2.0][1]. From 59c6d7542a98bad7708c80d16fb56e6780a97eab Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Thu, 29 Dec 2016 09:50:57 +0800 Subject: [PATCH 062/181] translating by ypingcn. translating by ypingcn. How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10 --- ...61024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md b/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md index 126c5a49bc..b69f0474c7 100644 --- a/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md +++ b/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md @@ -1,3 +1,5 @@ +translating by ypingcn. + How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10 ==== From a301890daa11b581be11ed46caff3ae793e042b6 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 09:51:12 +0800 Subject: [PATCH 063/181] translated --- .../LXD/Part 10 - LXD 2.0--LXD and Juju.md | 83 +++++++++---------- 1 file changed, 41 insertions(+), 42 deletions(-) rename {sources => translated}/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md (76%) diff --git a/sources/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md b/translated/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md similarity index 76% rename from sources/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md rename to translated/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md index d16c39d1dd..969374da74 100644 --- a/sources/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md +++ b/translated/tech/LXD/Part 10 - LXD 2.0--LXD and Juju.md @@ -1,27 +1,26 @@ -translating---geekpi +LXD 2.0 系列(十):LXD和Juju +====================================== -# LXD 2.0: LXD and Juju [10/12] - -This is the tenth blog post in [this series about LXD 2.0][1]. +这是 [LXD 2.0 系列介绍文章][1]的第十篇。 ![LXD logo](https://linuxcontainers.org/static/img/containers.png) -Introduction +介绍 ============================================================ -Juju is Canonical’s service modeling and deployment tool. It supports a very wide range of cloud providers to make it easy for you to deploy any service you want on any cloud you want. +Juju是Canonical的服务建模和部署工具。 它支持非常广泛的云提供商,使您能够轻松地在任何云上部署任何您想要的服务。 -On top of that, Juju 2.0 also includes support for LXD, both for local deployments, ideal for development and as a way to co-locate services on a cloud instance or physical machine. +此外,Juju 2.0还支持LXD,既适用于本地部署,也适合开发,并且可以在云实例或物理机上共同协作。 -This post will focus on the local use case, going through the experience of a LXD user without any pre-existing Juju experience. +本篇文章将关注本地使用,通过一个没有任何Juju经验的LXD用户来体验。 -# Requirements +# 要求 -This post assumes that you already have LXD 2.0 installed and configured (see previous posts) and that you’re running it on Ubuntu 16.04 LTS. +本篇文章假设你已经安装了LXD 2.0并且配置完毕(看前面的文章),并且是在Ubuntu 16.04 LTS上运行的。 -# Setting up Juju +# 设置 Juju -The first thing to do is to install Juju 2.0\. On Ubuntu 16.04, it’s as simple as: +第一件事是在Ubuntu 16.04上安装Juju 2.0。这个很简单: ``` stgraber@dakara:~$ sudo apt install juju @@ -53,9 +52,9 @@ Setting up juju-2.0 (2.0~beta7-0ubuntu1.16.04.1) ... Setting up juju (2.0~beta7-0ubuntu1.16.04.1) ... ``` -Once that’s done, we can bootstrap a new “controller” using LXD. This means that Juju will not modify anything on your host, it will instead install its management service inside a LXD container. +安装完成后,我们可以使用LXD启动一个新的“控制器”。这意味着Juju不会修改你主机上的任何东西,它会在LXD容器中安装它的管理服务。 -Here, we’ll be creating a controller called “test” with: +现在我们创建一个“test”控制器: ``` stgraber@dakara:~$ juju bootstrap localhost test @@ -87,7 +86,7 @@ Waiting for API to become available: upgrade in progress (upgrade in progress) Bootstrap complete, local.test now available. ``` -This should take about a minute, at which point you’ll see a new LXD container running: +这会花费一点时间,这时你可以看到一个正在运行的一个新的LXD容器: ``` stgraber@dakara:~$ lxc list juju- @@ -98,7 +97,7 @@ stgraber@dakara:~$ lxc list juju- +-----------------------------------------------------+---------+----------------------+------+------------+-----------+ ``` -On the Juju side of things, you can confirm that it’s responding and that nothing is running yet: +在Juju这边,你可以确认它有响应,并且还没有服务运行: ``` stgraber@dakara:~$ juju status @@ -112,7 +111,7 @@ ID WORKLOAD-STATUS JUJU-STATUS VERSION MACHINE PORTS PUBLIC-ADDRESS MESSAGE ID STATE DNS INS-ID SERIES AZ ``` -You can also access the Juju GUI in your web browser with: +你也可以在浏览器中访问Juju的GUI界面: ``` stgraber@dakara:~$ juju gui @@ -123,11 +122,11 @@ https://10.178.150.72:17070/gui/97fa390d-96ad-44df-8b59-e15fdcfc636b/ ![Juju web UI](https://www.stgraber.org/wp-content/uploads/2016/06/juju-gui.png) -Though I prefer the command line so that’s what I’ll be using next. +尽管我更倾向使用命令行,因此我会在接下来使用。 -# Deploying a minecraft server +# 部署一个minecraft服务 -So lets start with something very trivial, just deploy a service that uses a single Juju unit in a single container. +让我们先来一个简单的,部署在一个容器中使用一个Juju单元的服务。 ``` stgraber@dakara:~$ juju deploy cs:trusty/minecraft @@ -135,7 +134,7 @@ Added charm "cs:trusty/minecraft-3" to the model. Deploying charm "cs:trusty/minecraft-3" with the charm series "trusty". ``` -This should return pretty much immediately. It however doesn’t mean the service is already up and running. Instead you’ll want to look at “juju status”: +返回会很快,然而这不意味着服务已经启动并运行了。你应该使用“juju status”来查看: ``` stgraber@dakara:~$ juju status @@ -153,7 +152,7 @@ ID STATE DNS INS-ID SERIES AZ ``` -Here we can see it’s currently busy installing java in the LXD container it just created. +我们可以看到它正在忙于在刚刚创建的LXD容器中安装java。 ``` stgraber@dakara:~$ lxc list juju- @@ -166,7 +165,7 @@ stgraber@dakara:~$ lxc list juju- +-----------------------------------------------------+---------+----------------------+------+------------+-----------+ ``` -After a little while, the service will be done deploying as can be seen here: +过一会之后,如我们所见服务就部署完毕了: ``` stgraber@dakara:~$ juju status @@ -183,23 +182,23 @@ ID STATE DNS INS-ID SERIES AZ 1 started 10.178.150.74 juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-1 trusty ``` -At which point you can fire up your minecraft client, point it at 10.178.150.74 on port 25565 and play with your all new minecraft server! +这时你就可以启动你的Minecraft客户端了,它指向10.178.150.74,端口是25565。现在可以在新的minecraft服务器上玩了! -When you want to get rid of it, just run: +当你不再需要它,只需运行: ``` stgraber@dakara:~$ juju destroy-service minecraft ``` -Wait a few seconds and everything will be gone. +只要等待几秒就好了。 -# Deploying a more complex web application +# 部署一个更复杂的web应用 -Juju’s main focus is on modeling complex services and deploying them in a scallable way. +Juju的主要工作是建模复杂的服务,并以可扩展的方式部署它们。 -To better show that, lets deploy a Juju “bundle”. This bundle is a basic web service, made of a website, an API endpoint, a database, a static web server and a reverse proxy. +为了更好地展示,让我们部署一个Juju “组合”。 这个组合是由网站,API,数据库,静态Web服务器和反向代理组成的基本Web服务。 -So that’s going to expand to 4, inter-connected LXD containers. +所以这将扩展到4个互联的LXD容器。 ``` stgraber@dakara:~$ juju deploy cs:~charmers/bundle/web-infrastructure-in-a-box @@ -229,7 +228,7 @@ added nginx-proxy/0 unit to new machine deployment of bundle "cs:~charmers/bundle/web-infrastructure-in-a-box-10" completed ``` -A few seconds later, you’ll see all the LXD containers running: +几秒后,你会看到LXD容器在运行了: ``` stgraber@dakara:~$ lxc list juju- @@ -248,7 +247,7 @@ stgraber@dakara:~$ lxc list juju- +-----------------------------------------------------+---------+-----------------------+------+------------+-----------+ ``` -After a couple of minutes, all the services should be deployed and running: +几分钟后,所有的服务应该部署完毕并运行了: ``` stgraber@dakara:~$ juju status @@ -284,15 +283,15 @@ ID STATE DNS INS-ID SERIES AZ 5 started 10.178.150.214 juju-97fa390d-96ad-44df-8b59-e15fdcfc636b-machine-5 trusty ``` -At which point, you can hit the reverse proxy on port 80 with http://10.178.150.214 and you’ll hit the Juju academy web service. +这时你就可以在80端口访问http://10.178.150.214,并且会看到一个Juju学院页面。 [ ![Juju Academy web service](https://www.stgraber.org/wp-content/uploads/2016/06/juju-academy.png) ][2] -# Cleaning everything up +# 清理所有东西 -If you want to get rid of all the containers Juju created and don’t mind having to bootstrap again next time, the easiest way to destroy everything is with: +如果你不需要Juju创建的容器并且不在乎下次需要再次启动,最简单的方法是: ``` stgraber@dakara:~$ juju destroy-controller test --destroy-all-models @@ -320,7 +319,7 @@ Waiting on 1 model All hosted models reclaimed, cleaning up controller machines ``` -And we can confirm that it’s all gone: +我们用下面的方式确认: ``` stgraber@dakara:~$ lxc list juju- @@ -329,23 +328,23 @@ stgraber@dakara:~$ lxc list juju- +------+-------+------+------+------+-----------+ ``` -# Conclusion +# 总结 -Juju 2.0’s built-in LXD support makes for a very clean way to test a whole variety of services. +Juju 2.0内置的LXD支持使得可以用一种非常干净的方式来测试各种服务。 -There are quite a few pre-made “bundles” for you to deploy in the Juju charm store and even more “charms” that you can use to piece together the architecture you want. +在Juju charm store中有很多预制的“组合”可以用来部署,甚至可以用多个“charm”来组合你想要的架构。 -Juju with LXD is the perfect solution for easily developing anything from a small web service to a big scale out infrastructure, all on your own machine, without creating a mess on your system! +Juju与LXD是一个完美的解决方案,从一个小的Web服务到大规模的基础设施都可以简单开发,这些都在你自己的机器上,并且不会在你的系统上造成混乱! -------------------------------------------------------------------------- -作者简介:I’m Stéphane Graber. I’m probably mostly known as the LXC and LXD project leader, currently working as a technical lead for LXD at Canonical Ltd. from my home in Montreal, Quebec, Canada. +作者简介:我是Stéphane Graber。我是LXC和LXD项目的领导者,目前在加拿大魁北克蒙特利尔的家所在的Canonical有限公司担任LXD的技术主管。 -------------------------------------------------------------------------------- via: https://www.stgraber.org/2016/06/06/lxd-2-0-lxd-and-juju-1012/ 作者:[ Stéphane Graber][a] -译者:[译者ID](https://github.com/译者ID) +译者:[geekpi](https://github.com/geekpi) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From 0c4bba931709bc9efa640ea8066c8f29c0e948cc Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 09:53:02 +0800 Subject: [PATCH 064/181] translating --- sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md b/sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md index 3a981c8dec..71fe057ea1 100644 --- a/sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md +++ b/sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md @@ -1,3 +1,5 @@ +translating---geekpi + # LXD 2.0: LXD and OpenStack [11/12] This is the eleventh blog post in [this series about LXD 2.0][1]. From fa2ac3269a226ec6f3a828c87f75c81a4667946a Mon Sep 17 00:00:00 2001 From: "Fuliang.Li" Date: Thu, 29 Dec 2016 10:04:36 +0800 Subject: [PATCH 065/181] =?UTF-8?q?[=E5=BC=80=E5=A7=8B=E7=BF=BB=E8=AF=91]?= =?UTF-8?q?=20How=20to=20check=20if=20port=20is=20in=20use=20on=20Linux=20?= =?UTF-8?q?or=20Unix?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../20161110 How to check if port is in use on Linux or Unix.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161110 How to check if port is in use on Linux or Unix.md b/sources/tech/20161110 How to check if port is in use on Linux or Unix.md index 5c2451b9ea..50b4b34ac3 100644 --- a/sources/tech/20161110 How to check if port is in use on Linux or Unix.md +++ b/sources/tech/20161110 How to check if port is in use on Linux or Unix.md @@ -1,3 +1,5 @@ +GHLandy Translating + How to check if port is in use on Linux or Unix ============================================================ From bca85528e0846a7223d2571568006de03d0486de Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 10:58:42 +0800 Subject: [PATCH 066/181] translated --- .../LXD/Part 11 - LXD 2.0--LXD and Juju.md | 129 ------------------ .../LXD/Part 11 - LXD 2.0--LXD and Juju.md | 128 +++++++++++++++++ 2 files changed, 128 insertions(+), 129 deletions(-) delete mode 100644 sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md create mode 100644 translated/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md diff --git a/sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md b/sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md deleted file mode 100644 index 71fe057ea1..0000000000 --- a/sources/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md +++ /dev/null @@ -1,129 +0,0 @@ -translating---geekpi - -# LXD 2.0: LXD and OpenStack [11/12] - -This is the eleventh blog post in [this series about LXD 2.0][1]. - - ![LXD logo](https://linuxcontainers.org/static/img/containers.png) - -Introduction -============================================================ - -First of all, sorry for the delay. It took quite a long time before I finally managed to get all of this going. My first attempts were using devstack which ran into a number of issues that had to be resolved. Yet even after all that, I still wasn’t be able to get networking going properly. - -I finally gave up on devstack and tried “conjure-up” to deploy a full Ubuntu OpenStack using Juju in a pretty user friendly way. And it finally worked! - -So below is how to run a full OpenStack, using LXD containers instead of VMs and running all of this inside a LXD container (nesting!). - -# Requirements - -This post assumes you’ve got a working LXD setup, providing containers with network access and that you have a pretty beefy CPU, around 50GB of space for the container to use and at least 16GB of RAM. - -Remember, we’re running a full OpenStack here, this thing isn’t exactly light! - -# Setting up the container - -OpenStack is made of a lof of different components, doing a lot of different things. Some require some additional privileges so to make our live easier, we’ll use a privileged container. - -We’ll configure that container to support nesting, pre-load all the required kernel modules and allow it access to /dev/mem (as is apparently needed). - -Please note that this means that most of the security benefit of LXD containers are effectively disabled for that container. However the containers that will be spawned by OpenStack itself will be unprivileged and use all the normal LXD security features. - -``` -lxc launch ubuntu:16.04 openstack -c security.privileged=true -c security.nesting=true -c "linux.kernel_modules=iptable_nat, ip6table_nat, ebtables, openvswitch" -lxc config device add openstack mem unix-char path=/dev/mem -``` - -There is a small bug in LXD where it would attempt to load kernel modules that have already been loaded on the host. This has been fixed in LXD 2.5 and will be fixed in LXD 2.0.6 but until then, this can be worked around with: - -``` -lxc exec openstack -- ln -s /bin/true /usr/local/bin/modprobe -``` - -Then we need to add a couple of PPAs and install conjure-up, the deployment tool we’ll use to get OpenStack going. - -``` -lxc exec openstack -- apt-add-repository ppa:conjure-up/next -y -lxc exec openstack -- apt-add-repository ppa:juju/stable -y -lxc exec openstack -- apt update -lxc exec openstack -- apt dist-upgrade -y -lxc exec openstack -- apt install conjure-up -y -``` - -And the last setup step is to configure LXD networking inside the container. -Answer with the default for all questions, except for: - -* Use the “dir” storage backend (“zfs” doesn’t work in a nested container) -* Do NOT configure IPv6 networking (conjure-up/juju don’t play well with it) - -``` -lxc exec openstack -- lxd init -``` - -And that’s it for the container configuration itself, now we can deploy OpenStack! - -# Deploying OpenStack with conjure-up - -As mentioned earlier, we’ll be using conjure-up to deploy OpenStack. -This is a nice, user friendly, tool that interfaces with Juju to deploy complex services. - -Start it with: - -``` -lxc exec openstack -- sudo -u ubuntu -i conjure-up -``` - -* Select “OpenStack with NovaLXD” -* Then select “localhost” as the deployment target (uses LXD) -* And hit “Deploy all remaining applications” - -This will now deploy OpenStack. The whole process can take well over an hour depending on what kind of machine you’re running this on. You’ll see all services getting a container allocated, then getting deployed and finally interconnected. - - ![Conjure-Up deploying OpenStack](https://www.stgraber.org/wp-content/uploads/2016/10/conjure-up.png) - -Once the deployment is done, a few post-install steps will appear. This will import some initial images, setup SSH authentication, configure networking and finally giving you the IP address of the dashboard. - -# Access the dashboard and spawn a container - -The dashboard runs inside a container, so you can’t just hit it from your web browser. -The easiest way around this is to setup a NAT rule with: - -``` -lxc exec openstack -- iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to -``` - -Where “” is the dashboard IP address conjure-up gave you at the end of the installation. - -You can now grab the IP address of the “openstack” container (from “lxc info openstack”) and point your web browser to: http:///horizon - -This can take a few minutes to load the first time around. Once the login screen is loaded, enter the default login and password (admin/openstack) and you’ll be greeted by the OpenStack dashboard! - - ![oslxd-dashboard](https://www.stgraber.org/wp-content/uploads/2016/10/oslxd-dashboard.png) - -You can now head to the “Project” tab on the left and the “Instances” page. To start a new instance using nova-lxd, click on “Launch instance”, select what image you want, network, … and your instance will get spawned. - -Once it’s running, you can assign it a floating IP which will let you reach your instance from within your “openstack” container. - -# Conclusion - -OpenStack is a pretty complex piece of software, it’s also not something you really want to run at home or on a single server. But it’s certainly interesting to be able to do it anyway, keeping everything contained to a single container on your machine. - -Conjure-Up is a great tool to deploy such complex software, using Juju behind the scene to drive the deployment, using LXD containers for every individual service and finally for the instances themselves. - -It’s also one of the very few cases where multiple level of container nesting actually makes sense! - --------------------------------------------------------------------------- -作者简介:I’m Stéphane Graber. I’m probably mostly known as the LXC and LXD project leader, currently working as a technical lead for LXD at Canonical Ltd. from my home in Montreal, Quebec, Canada. - --------------------------------------------------------------------------------- - -via: https://www.stgraber.org/2016/10/26/lxd-2-0-lxd-and-openstack-1112/ - -作者:[Stéphane Graber ][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.stgraber.org/author/stgraber/ -[1]:https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ diff --git a/translated/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md b/translated/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md new file mode 100644 index 0000000000..f1d6d241f9 --- /dev/null +++ b/translated/tech/LXD/Part 11 - LXD 2.0--LXD and Juju.md @@ -0,0 +1,128 @@ +LXD 2.0 系列(十):LXD和OpenStack +====================================== + +这是 [LXD 2.0 系列介绍文章][1]的第十一篇。 + + ![LXD logo](https://linuxcontainers.org/static/img/containers.png) + +介绍 +============================================================ + +首先对这次的延期抱歉。为了让一切正常我花了很长时间。我第一次尝试是使用devstack时遇到了一些必须解决问题。 然而即使这样,我还是不能够使网络正常。 + +我终于放弃了devstack,并使用用户友好的Juju尝试使用“conjure-up”部署完整的Ubuntu OpenStack。它终于工作了! + +下面是如何运行一个完整的OpenStack,使用LXD容器而不是VM,并在LXD容器中运行所有这些(嵌套的!)。 + +# 要求 + +这篇文章假设你有一个可以工作的LXD设置,提供容器网络访问,并且你有一个非常强大的CPU,大约50GB给容器空间和至少16GB的内存。 + +记住,我们在这里运行一个完整的OpenStack,这东西不是很轻量! + +# 设置容器 + +OpenStack由大量不同做不同事情的组件组成。 一些需要一些额外的特权,这样可以使设置更简单,我们将使用特权容器。 + +我们将配置支持嵌套的容器,预加载所有需要的内核模块,并允许它访问/dev/mem(显然是需要的)。 + +请注意,这意味着LXD容器的大部分安全特性对该容器被禁用。 然而由OpenStack自身产生的容器将是无特权的,并且可以正常使用LXD的安全特性。 + +``` +lxc launch ubuntu:16.04 openstack -c security.privileged=true -c security.nesting=true -c "linux.kernel_modules=iptable_nat, ip6table_nat, ebtables, openvswitch" +lxc config device add openstack mem unix-char path=/dev/mem +``` + +LXD中有一个小bug,它会尝试加载已经加载到主机上的内核模块。这已在LXD 2.5中得到修复,并将在LXD 2.0.6中修复,但在此之前,可以使用以下方法: + +``` +lxc exec openstack -- ln -s /bin/true /usr/local/bin/modprobe +``` + +我们需要加几条PPA并安装conjure-up,它是我们用来安装Openstack的部署工具。 + +``` +lxc exec openstack -- apt-add-repository ppa:conjure-up/next -y +lxc exec openstack -- apt-add-repository ppa:juju/stable -y +lxc exec openstack -- apt update +lxc exec openstack -- apt dist-upgrade -y +lxc exec openstack -- apt install conjure-up -y +``` + +最后一步是在容器内部配置LXD网络。 +所有问题都选择默认,除了: + +* 使用“dir”存储后端(“zfs”不在嵌套容器中有用) +* 不要配置IPv6网络(conjure-up/juju不太兼容它) + +``` +lxc exec openstack -- lxd init +``` + +现在配置完容器了,现在我们部署OpenStack! + +# 用conjure-up部署OpenStack + +如先前提到的,我们用conjure-up部署OpenStack。 +这是一个很棒的用户友好的可以与Juju交互来部署复杂服务的工具。 + +首先: + +``` +lxc exec openstack -- sudo -u ubuntu -i conjure-up +``` + +* 选择“OpenStack with NovaLXD” +* 选择“localhost”作为部署目标(使用LXD) +* 点击“Deploy all remaining applications” + +接下来会部署OpenStack。整个过程会花费一个多小时,这取决于你运行的机器。你将看到所有服务会被分配一个容器,然后部署并最终互连。 + + ![Conjure-Up deploying OpenStack](https://www.stgraber.org/wp-content/uploads/2016/10/conjure-up.png) + +部署完成后会显示一个安装完成的界面。它会导入一些初始镜像、设置SSH权限、配置网络最后会显示面板的IP地址。 + +# 访问面板并生成一个容器 + +面板运行在一个容器中,因此你不能直接从浏览器中访问。 +最简单的方法是设置一条NAT规则: + +``` +lxc exec openstack -- iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to +``` + +其中“”是conjure-up在安装结束时给你的面板IP地址。 + +你现在可以获取“openstack”容器的IP地址(来自“lxc info openstack”),并将浏览器指向:http:///horizon + +第一次加载可能需要几分钟。 一旦显示了登录界面,输入默认登录名和密码(admin/openstack),你就会看到OpenStack的欢迎面板! + +  ![oslxd-dashboard](https://www.stgraber.org/wp-content/uploads/2016/10/oslxd-dashboard.png) + +现在可以选择左边的“Project”选项卡,进入“Instances”页面。 要启动一个使用nova-lxd的新实例,点击“Launch instance”,选择你想要的镜像,网络等,接着你的实例就产生了。 + +一旦它运行后,你可以为它分配一个浮动IP,它将允许你从你的“openstack”容器中访问你的实例。 + +# 总结 + +OpenStack是一个非常复杂的软件,你也不会想在家里或在单个服务器上运行它。 但是,不管怎样在你的机器上包含这些服务在一个容器中都是非常有趣的。 + +conjure-up是部署这种复杂软件的一个很好的工具,背后使用Juju驱动部署,为每个单独的服务使用LXD容器,最后是实例本身。 + +它也是少数几个容器嵌套多层并实际上有意义的情况之一! + +-------------------------------------------------------------------------- +作者简介:我是Stéphane Graber。我是LXC和LXD项目的领导者,目前在加拿大魁北克蒙特利尔的家所在的Canonical有限公司担任LXD的技术主管。 + +-------------------------------------------------------------------------------- + +via: https://www.stgraber.org/2016/10/26/lxd-2-0-lxd-and-openstack-1112/ + +作者:[Stéphane Graber ][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.stgraber.org/author/stgraber/ +[1]:https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ From 48c2656f0a3d6d1043282df7a066cc1201cd2547 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 11:06:13 +0800 Subject: [PATCH 067/181] translating --- .../tech/Building an Email Server on Ubuntu Linux - Part 2.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md b/sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md index 4f0790c05f..4c28c0bad3 100644 --- a/sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md +++ b/sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md @@ -1,3 +1,5 @@ +translating---geekpi + Building an Email Server on Ubuntu Linux, Part 2 ============================================================ From d00ddb7dba636de8f20a4751d72cc93430fbbcd1 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 11:16:56 +0800 Subject: [PATCH 068/181] =?UTF-8?q?20161229-7=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Using the NTP time synchronization.md | 142 ++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 sources/tech/Using the NTP time synchronization.md diff --git a/sources/tech/Using the NTP time synchronization.md b/sources/tech/Using the NTP time synchronization.md new file mode 100644 index 0000000000..eb0f80da7f --- /dev/null +++ b/sources/tech/Using the NTP time synchronization.md @@ -0,0 +1,142 @@ +使用 NTP 进行时间同步 +============================================================ + +NTP 是通过网络来同步时间的一种 TCP/IP 协议。通常客户端向服务器请求当前的时间,并根据结果来设置其时钟。 + +Behind this simple description, there is a lot of complexity - there are tiers of NTP servers, with the tier one NTP servers connected to atomic clocks, and tier two and three servers spreading the load of actually handling requests across the Internet. Also the client software is a lot more complex than you might think - it has to factor out communication delays, and adjust the time in a way that does not upset all the other processes that run on the server. But luckily all that complexity is hidden from you! + +Ubuntu uses ntpdate and ntpd. + +* [timedatectl][4] +* [timesyncd][5] +* [ntpdate][6] +* [timeservers][7] +* [ntpd][8] +* [安装][9] +* [配置][10] +* [View status][11] +* [PPS Support][12] +* [参考资料][13] + +### timedatectl + +In recent Ubuntu releases timedatectl replaces ntpdate. By default timedatectl syncs the time once on boot and later on uses socket activation to recheck once network connections become active. + +If ntpdate / ntp is installed timedatectl steps back to let you keep your old setup. That shall ensure that no two time syncing services are fighting and also to retain any kind of old behaviour/config that you had through an upgrade. But it also implies that on an upgrade from a former release ntp/ntpdate might still be installed and therefore renders the new systemd based services disabled. + +### timesyncd + +In recent Ubuntu releases timesyncd replaces the client portion of ntpd. By default timesyncd regularly checks and keeps the time in sync. It also stores time updates locally, so that after reboots monotonically advances if applicable. + +The current status of time and time configuration via timedatectl and timesyncd can be checked with timedatectl status. + +``` +timedatectl status + Local time: Fri 2016-04-29 06:32:57 UTC + Universal time: Fri 2016-04-29 06:32:57 UTC + RTC time: Fri 2016-04-29 07:44:02 + Time zone: Etc/UTC (UTC, +0000) + Network time on: yes +NTP synchronized: no + RTC in local TZ: no +``` + +If NTP is installed and replaces the activity of timedatectl the line "NTP synchronized" is set to yes. + +The nameserver to fetch time for timedatectl and timesyncd from can be specified in /etc/systemd/timesyncd.conf and with flexible additional config files in /etc/systemd/timesyncd.conf.d/. + +### ntpdate + +ntpdate is considered deprecated in favour of timedatectl and thereby no more installed by default. If installed it will run once at boot time to set up your time according to Ubuntu's NTP server. Later on anytime a new interface comes up it retries to update the time - while doing so it will try to slowly drift time as long as the delta it has to cover isn't too big. That behaviour can be controlled with the -B/-b switches. + +``` +ntpdate ntp.ubuntu.com +``` + +### timeservers + +By default the systemd based tools request time information at ntp.ubuntu.com. In classic ntpd based service uses the pool of [0-3].ubuntu.pool.ntp.org Of the pool number 2.ubuntu.pool.ntp.org as well as ntp.ubuntu.com also support ipv6 if needed. If one needs to force ipv6 there also is ipv6.ntp.ubuntu.com which is not configured by default. + +### ntpd + +The ntp daemon ntpd calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance. The cost is a little processing power and memory, but for a modern server this is negligible. + +### 安装 + +To install ntpd, from a terminal prompt enter: + +``` +sudo apt install ntp +``` + +### 配置 + +Edit /etc/ntp.conf to add/remove server lines. By default these servers are configured: + +``` +# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board +# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for +# more information. +server 0.ubuntu.pool.ntp.org +server 1.ubuntu.pool.ntp.org +server 2.ubuntu.pool.ntp.org +server 3.ubuntu.pool.ntp.org +``` + +After changing the config file you have to reload the ntpd: + +``` +sudo systemctl reload ntp.service +``` + +### View status + +Use ntpq to see more info: + +``` +# sudo ntpq -p + remote refid st t when poll reach delay offset jitter +============================================================================== ++stratum2-2.NTP. 129.70.130.70 2 u 5 64 377 68.461 -44.274 110.334 ++ntp2.m-online.n 212.18.1.106 2 u 5 64 377 54.629 -27.318 78.882 +*145.253.66.170 .DCFa. 1 u 10 64 377 83.607 -30.159 68.343 ++stratum2-3.NTP. 129.70.130.70 2 u 5 64 357 68.795 -68.168 104.612 ++europium.canoni 193.79.237.14 2 u 63 64 337 81.534 -67.968 92.792 +``` + +### PPS Support + +Since 16.04 ntp supports PPS discipline which can be used to augment ntp with local timesources for better accuracy. For more details on configuration see the external pps ressource listed below. + +### 参考资料 + +* See the [Ubuntu Time][1] wiki page for more information. + +* [ntp.org, home of the Network Time Protocol project][2] + +* [ntp.org faq on configuring PPS][3] + +-------------------------------------------------------------------------------- + +via: https://help.ubuntu.com/lts/serverguide/NTP.html + +作者:[Ubuntu][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://help.ubuntu.com/lts/serverguide/NTP.html +[1]:https://help.ubuntu.com/community/UbuntuTime +[2]:http://www.ntp.org/ +[3]:http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#S-CONFIG-ADV-PPS +[4]:https://help.ubuntu.com/lts/serverguide/NTP.html#timedatectl +[5]:https://help.ubuntu.com/lts/serverguide/NTP.html#timesyncd +[6]:https://help.ubuntu.com/lts/serverguide/NTP.html#ntpdate +[7]:https://help.ubuntu.com/lts/serverguide/NTP.html#timeservers +[8]:https://help.ubuntu.com/lts/serverguide/NTP.html#ntpd +[9]:https://help.ubuntu.com/lts/serverguide/NTP.html#ntp-installation +[10]:https://help.ubuntu.com/lts/serverguide/NTP.html#timeservers-conf +[11]:https://help.ubuntu.com/lts/serverguide/NTP.html#ntp-status +[12]:https://help.ubuntu.com/lts/serverguide/NTP.html#ntp-pps +[13]:https://help.ubuntu.com/lts/serverguide/NTP.html#ntp-references From cc903ebd3d8d1cdcc65a2ca4744eb42c19a03bbd Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 11:46:32 +0800 Subject: [PATCH 069/181] =?UTF-8?q?20161229-8=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sources/tech/20160516 Securing Your Server.md | 380 ++++++++++++++++++ 1 file changed, 380 insertions(+) create mode 100644 sources/tech/20160516 Securing Your Server.md diff --git a/sources/tech/20160516 Securing Your Server.md b/sources/tech/20160516 Securing Your Server.md new file mode 100644 index 0000000000..a5b0f29606 --- /dev/null +++ b/sources/tech/20160516 Securing Your Server.md @@ -0,0 +1,380 @@ +Securing Your Server +============================================================ + +### Update Your System–Frequently + +Keeping your software up to date is the single biggest security precaution you can take for any operating system. Software updates range from critical vulnerability patches to minor bug fixes, and many software vulnerabilities are actually patched by the time they become public. + +### Automatic Security Updates + +There are arguments for and against automatic updates on servers. [Fedora’s Wiki][15] has a good breakdown of the pros and cons, but the risk of automatic updates will be minimal if you limit them to security updates. + +The practicality of automatic updates is something you must judge for yourself because it comes down to what _you_ do with your Linode. Bear in mind that automatic updates apply only to packages sourced from repositories, not self-compiled applications. You may find it worthwhile to have a test environment that replicates your production server. Updates can be applied there and reviewed for issues before being applied to the live environment. + +* CentOS uses _[yum-cron][2]_ for automatic updates. + +* Debian and Ubuntu use _[unattended upgrades][3]_. + +* Fedora uses _[dnf-automatic][4]_. + +### Add a Limited User Account + +Up to this point, you have accessed your Linode as the `root` user, which has unlimited privileges and can execute _any_ command–even one that could accidentally disrupt your server. We recommend creating a limited user account and using that at all times. Administrative tasks will be done using `sudo` to temporarily elevate your limited user’s privileges so you can administer your server. + +> Not all Linux distributions include `sudo` on the system by default, but all the images provided by Linode have sudo in their package repositories. If you get the output `sudo: command not found`, install sudo before continuing. + +To add a new user, first [log in to your Linode][16] via SSH. + +### CentOS / Fedora + +1. Create the user, replacing `example_user` with your desired username, and assign a password: + +``` + useradd example_user && passwd example_user +``` + +2. Add the user to the `wheel` group for sudo privileges: + +``` + usermod -aG wheel example_user +``` + +### Ubuntu + +1. Create the user, replacing `example_user` with your desired username. You’ll then be asked to assign the user a password: + +``` + adduser example_user +``` + +2. Add the user to the `sudo` group so you’ll have administrative privileges: + + +``` + adduser example_user sudo +``` + +### Debian + +1. Debian does not include `sudo` among their default packages. Use `apt-get` to install it: + + +``` + apt-get install sudo +``` + +2. Create the user, replacing `example_user` with your desired username. You’ll then be asked to assign the user a password: + +``` + adduser example_user +``` + +3. Add the user to the `sudo` group so you’ll have administrative privileges: + +``` + adduser example_user sudo +``` + +After creating your limited user, disconnect from your Linode: + +``` +exit +``` + +Log back in as your new user. Replace `example_user` with your username, and the example IP address with your Linode’s IP address: + +``` +ssh example_user@203.0.113.10 +``` + +Now you can administer your Linode from your new user account instead of `root`. Nearly all superuser commands can be executed with `sudo` (example: `sudo iptables -L -nv`) and those commands will be logged to `/var/log/auth.log`. + +### Harden SSH Access + +By default, password authentication is used to connect to your Linode via SSH. A cryptographic key-pair is more secure because a private key takes the place of a password, which is generally much more difficult to brute-force. In this section we’ll create a key-pair and configure the Linode to not accept passwords for SSH logins. + +### Create an Authentication Key-pair + +1. This is done on your local computer, **not** your Linode, and will create a 4096-bit RSA key-pair. During creation, you will be given the option to encrypt the private key with a passphrase. This means that it cannot be used without entering the passphrase, unless you save it to your local desktop’s keychain manager. We suggest you use the key-pair with a passphrase, but you can leave this field blank if you don’t want to use one. + + **Linux / OS X** + + > If you’ve already created an RSA key-pair, this command will overwrite it, potentially locking you out of other systems. If you’ve already created a key-pair, skip this step. To check for existing keys, run `ls ~/.ssh/id_rsa*`. + +``` + ssh-keygen -b 4096 +``` + + + Press **Enter** to use the default names `id_rsa` and `id_rsa.pub` in `/home/your_username/.ssh` before entering your passphrase. + + **Windows** + + This can be done using PuTTY as outlined in our guide: [Use Public Key Authentication with SSH][6]. + +2. Upload the public key to your Linode. Replace `example_user` with the name of the user you plan to administer the server as, and `203.0.113.10` with your Linode’s IP address. + + **Linux** + + From your local computer: + +``` + ssh-copy-id example_user@203.0.113.10 +``` + + **OS X** + + On your Linode (while signed in as your limited user): + +``` + mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/ +``` + + From your local computer: + +``` + scp ~/.ssh/id_rsa.pub example_user@203.0.113.10:~/.ssh/authorized_keys +``` + + > `ssh-copy-id` is available in [Homebrew][5] if you prefer it over SCP. Install with `brew install ssh-copy-id`. + + **Windows** + + * **Option 1**: This can be done using [WinSCP][1]. In the login window, enter your Linode’s public IP address as the hostname, and your non-root username and password. Click _Login_ to connect. + + Once WinSCP has connected, you’ll see two main sections. The section on the left shows files on your local computer and the section on the right shows files on your Linode. Using the file explorer on the left, navigate to the file where you’ve saved your public key, select the public key file, and click _Upload_ in the toolbar above. + + You’ll be prompted to enter a path where you’d like to place the file on your Linode. Upload the file to `/home/example_user/.ssh/authorized_keys`, replacing `example_user` with your username. + + * **Option 2:** Copy the public key directly from the PuTTY key generator into the terminal emulator connected to your Linode (as a non-root user): + + ``` + mkdir ~/.ssh; nano ~/.ssh/authorized_keys + ``` + + + The above command will open a blank file called `authorized_keys` in a text editor. Copy the public key into the text file, making sure it is copied as a single line exactly as it was generated by PuTTY. Press **CTRL+X**, then **Y**, then **Enter** to save the file. + + Finally, you’ll want to set permissions for the public key directory and the key file itself: + +``` + sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys +``` + + These commands provide an extra layer of security by preventing other users from accessing the public key directory as well as the file itself. For more information on how this works, see our guide on [how to modify file permissions][7]. + +3. Now exit and log back into your Linode. If you specified a passphrase for your private key, you’ll need to enter it. + +### SSH Daemon Options + +1. **Disallow root logins over SSH.** This requires all SSH connections be by non-root users. Once a limited user account is connected, administrative privileges are accessible either by using `sudo` or changing to a root shell using `su -`. + +``` + # Authentication: + ... + PermitRootLogin no +``` + + +2. **Disable SSH password authentication.** This requires all users connecting via SSH to use key authentication. Depending on the Linux distribution, the line `PasswordAuthentication` may need to be added, or uncommented by removing the leading `#`. + + +``` + # Change to no to disable tunnelled clear text passwords + PasswordAuthentication no +``` + + > You may want to leave password authentication enabled if you connect to your Linode from many different computers. This will allow you to authenticate with a password instead of generating and uploading a key-pair for every device. + +3. **Listen on only one internet protocol.** The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your Linode using both protocols, disable whichever you do not need. _This does not disable the protocol system-wide, it is only for the SSH daemon._ + + Use the option: + + * `AddressFamily inet` to listen only on IPv4. + * `AddressFamily inet6` to listen only on IPv6. + + The `AddressFamily` option is usually not in the `sshd_config` file by default. Add it to the end of the file: + +``` + echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config +``` + + +4. Restart the SSH service to load the new configuration. + + If you’re using a Linux distribution which uses systemd (CentOS 7, Debian 8, Fedora, Ubuntu 15.10+) + +``` + sudo systemctl restart sshd +``` + + If your init system is SystemV or Upstart (CentOS 6, Debian 7, Ubuntu 14.04): + +``` + sudo service ssh restart +``` + +### Use Fail2Ban for SSH Login Protection + +[_Fail2Ban_][17] is an application that bans IP addresses from logging into your server after too many failed login attempts. Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access. + +Fail2Ban can monitor a variety of protocols including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only, and is a helpful security deterrent for any server since the SSH daemon is usually configured to run constantly and listen for connections from any remote IP address. + +For complete instructions on installing and configuring Fail2Ban, see our guide: [Securing Your Server with Fail2ban][18]. + +### Remove Unused Network-Facing Services + +Most Linux distributions install with running network services which listen for incoming connections from the internet, the loopback interface, or a combination of both. Network-facing services which are not needed should be removed from the system to reduce the attack surface of both running processes and installed packages. + +### Determine Running Services + +To see your Linode’s running network services: + +``` +sudo netstat -tulpn +``` + + +> If netstat isn’t included in your Linux distribution by default, install the package `net-tools` or use the `ss -tulpn`command instead. + +The following is an example of netstat’s output. Note that because distributions run different services by default, your output will differ: + + +``` +Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name +tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 7315/rpcbind +tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3277/sshd +tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3179/exim4 +tcp 0 0 0.0.0.0:42526 0.0.0.0:* LISTEN 2845/rpc.statd +tcp6 0 0 :::48745 :::* LISTEN 2845/rpc.statd +tcp6 0 0 :::111 :::* LISTEN 7315/rpcbind +tcp6 0 0 :::22 :::* LISTEN 3277/sshd +tcp6 0 0 ::1:25 :::* LISTEN 3179/exim4 +udp 0 0 127.0.0.1:901 0.0.0.0:* 2845/rpc.statd +udp 0 0 0.0.0.0:47663 0.0.0.0:* 2845/rpc.statd +udp 0 0 0.0.0.0:111 0.0.0.0:* 7315/rpcbind +udp 0 0 192.0.2.1:123 0.0.0.0:* 3327/ntpd +udp 0 0 127.0.0.1:123 0.0.0.0:* 3327/ntpd +udp 0 0 0.0.0.0:123 0.0.0.0:* 3327/ntpd +udp 0 0 0.0.0.0:705 0.0.0.0:* 7315/rpcbind +udp6 0 0 :::111 :::* 7315/rpcbind +udp6 0 0 fe80::f03c:91ff:fec:123 :::* 3327/ntpd +udp6 0 0 2001:DB8::123 :::* 3327/ntpd +udp6 0 0 ::1:123 :::* 3327/ntpd +udp6 0 0 :::123 :::* 3327/ntpd +udp6 0 0 :::705 :::* 7315/rpcbind +udp6 0 0 :::60671 :::* 2845/rpc.statd +``` + +Netstat tells us that services are running for [Remote Procedure Call][19] (rpc.statd and rpcbind), SSH (sshd), [NTPdate][20] (ntpd) and [Exim][21] (exim4). + +#### TCP + +See the **Local Address** column of the netstat readout. The process `rpcbind` is listening on `0.0.0.0:111` and `:::111` for a foreign address of `0.0.0.0:*` or `:::*`. This means that it’s accepting incoming TCP connections from other RPC clients on any external address, both IPv4 and IPv6, from any port and over any network interface. We see similar for SSH, and that Exim is listening locally for traffic from the loopback interface, as shown by the `127.0.0.1` address. + +#### UDP + +UDP sockets are _[stateless][14]_, meaning they are either open or closed and every process’s connection is independent of those which occurred before and after. This is in contrast to TCP connection states such as _LISTEN_, _ESTABLISHED_ and _CLOSE_WAIT_. + +Our netstat output shows that NTPdate is: 1) accepting incoming connections on the Linode’s public IP address; 2) communicates over localhost; and 3) accepts connections from external sources. These are over port 123, and both IPv4 and IPv6\. We also see more sockets open for RPC. + +### Determine Which Services to Remove + +If you were to do a basic TCP and UDP [nmap][22] scan of your Linode without a firewall enabled, SSH, RPC and NTPdate would be present in the result with ports open. By [configuring a firewall][23] you can filter those ports, with the exception of SSH because it must allow your incoming connections. Ideally, however, the unused services should be disabled. + +* You will likely be administering your server primarily through an SSH connection, so that service needs to stay. As mentioned above, [RSA keys][8] and [Fail2Ban][9] can help protect SSH. + +* NTP is necessary for your server’s timekeeping but there are alternatives to NTPdate. If you prefer a time synchronization method which does not hold open network ports, and you do not need nanosecond accuracy, then you may be interested in replacing NTPdate with [OpenNTPD][10]. + +* Exim and RPC, however, are unnecessary unless you have a specific use for them, and should be removed. + +> This section focused on Debian 8\. Different Linux distributions have different services enabled by default. If you are unsure of what a service does, do an internet search to understand what it is before attempting to remove or disable it. + +### Uninstall the Listening Services + +How to remove the offending packages will differ depending on your distribution’s package manager. + +**Arch** + +``` +sudo pacman -Rs package_name +``` + +**CentOS** + + +``` +sudo yum remove package_name +``` + + +**Debian / Ubuntu** + +``` +sudo apt-get purge package_name +``` + +**Fedora** + + +``` +sudo dnf remove package_name +``` + +Run `sudo netstat -tulpn` again. You should now only see listening services for SSH (sshd) and NTP (ntpdate, network time protocol). + +### Configure a Firewall + +Using a _firewall_ to block unwanted inbound traffic to your Linode provides a highly effective security layer. By being very specific about the traffic you allow in, you can prevent intrusions and network mapping. A best practice is to allow only the traffic you need, and deny everything else. See our documentation on some of the most common firewall applications: + +* [Iptables][11] is the controller for netfilter, the Linux kernel’s packet filtering framework. Iptables is included in most Linux distributions by default. + +* [FirewallD][12] is the iptables controller available for the CentOS / Fedora family of distributions. + +* [UFW][13] provides an iptables frontend for Debian and Ubuntu. + +### Next Steps + +These are the most basic steps to harden any Linux server, but further security layers will depend on its intended use. Additional techniques can include application configurations, using [intrusion detection][24] or installing a form of [access control][25]. + +Now you can begin setting up your Linode for any purpose you choose. We have a library of documentation to assist you with a variety of topics ranging from [migration from shared hosting][26] to [enabling two-factor authentication][27] to [hosting a website][28]. + +-------------------------------------------------------------------------------- + +via: https://www.linode.com/docs/security/securing-your-server/ + +作者:[Phil Zona ][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linode.com/docs/security/securing-your-server/ +[1]:http://winscp.net/ +[2]:https://fedoraproject.org/wiki/AutoUpdates#Fedora_21_or_earlier_versions +[3]:https://help.ubuntu.com/lts/serverguide/automatic-updates.html +[4]:https://dnf.readthedocs.org/en/latest/automatic.html +[5]:http://brew.sh/ +[6]:https://www.linode.com/docs/security/use-public-key-authentication-with-ssh#windows-operating-system +[7]:https://www.linode.com/docs/tools-reference/modify-file-permissions-with-chmod +[8]:https://www.linode.com/docs/security/securing-your-server/#create-an-authentication-key-pair +[9]:https://www.linode.com/docs/security/securing-your-server/#use-fail2ban-for-ssh-login-protection +[10]:https://en.wikipedia.org/wiki/OpenNTPD +[11]:https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables +[12]:https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos +[13]:https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw +[14]:https://en.wikipedia.org/wiki/Stateless_protocol +[15]:https://fedoraproject.org/wiki/AutoUpdates#Why_use_Automatic_updates.3F +[16]:https://www.linode.com/docs/getting-started#logging-in-for-the-first-time +[17]:http://www.fail2ban.org/wiki/index.php/Main_Page +[18]:https://www.linode.com/docs/security/using-fail2ban-for-security +[19]:https://en.wikipedia.org/wiki/Open_Network_Computing_Remote_Procedure_Call +[20]:http://support.ntp.org/bin/view/Main/SoftwareDownloads +[21]:http://www.exim.org/ +[22]:https://nmap.org/ +[23]:https://www.linode.com/docs/security/securing-your-server/#configure-a-firewall +[24]:https://linode.com/docs/security/ossec-ids-debian-7 +[25]:https://en.wikipedia.org/wiki/Access_control#Access_Control +[26]:https://www.linode.com/docs/migrate-to-linode/migrate-from-shared-hosting +[27]:https://www.linode.com/docs/security/linode-manager-security-controls +[28]:https://www.linode.com/docs/websites/hosting-a-website From 7c9336a27e5e79b5f48b358d8cb8e0b9c79e3b36 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 11:48:12 +0800 Subject: [PATCH 070/181] =?UTF-8?q?20161229-7=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ve Directory Infrastructure from Windows10 via RSAT – Part 3.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sources/tech/{Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md => 20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md} (100%) diff --git a/sources/tech/Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md b/sources/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md similarity index 100% rename from sources/tech/Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md rename to sources/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md From 1d2e27518a954e386ffd8115a87aaea364e727be Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 11:48:42 +0800 Subject: [PATCH 071/181] =?UTF-8?q?20161229-3=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...Domain Controller DNS and Group Policy from Windows – Part 4.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sources/tech/{Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md => 20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md} (100%) diff --git a/sources/tech/Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md b/sources/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md similarity index 100% rename from sources/tech/Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md rename to sources/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md From 92ec1ba0f285056ab54ed44d383808199a003bd7 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 11:49:15 +0800 Subject: [PATCH 072/181] =?UTF-8?q?20161229-5=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ge Samba4 AD Infrastructure from Linux Command Line – Part 2.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sources/tech/{How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md => 20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md} (100%) diff --git a/sources/tech/How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md b/sources/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md similarity index 100% rename from sources/tech/How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md rename to sources/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md From 2deeaee3787ef03c21af5095d6dca58c8c3aa1dd Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 11:49:44 +0800 Subject: [PATCH 073/181] =?UTF-8?q?20161229-4=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...20161215 Building an Email Server on Ubuntu Linux - Part 3.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sources/tech/{Building an Email Server on Ubuntu Linux - Part 3.md => 20161215 Building an Email Server on Ubuntu Linux - Part 3.md} (100%) diff --git a/sources/tech/Building an Email Server on Ubuntu Linux - Part 3.md b/sources/tech/20161215 Building an Email Server on Ubuntu Linux - Part 3.md similarity index 100% rename from sources/tech/Building an Email Server on Ubuntu Linux - Part 3.md rename to sources/tech/20161215 Building an Email Server on Ubuntu Linux - Part 3.md From ac68ad98a9d5ed5367e158a873aaac99a36e978d Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 11:54:44 +0800 Subject: [PATCH 074/181] =?UTF-8?q?20161229-9=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...012 Introduction to FirewallD on CentOS.md | 409 ++++++++++++++++++ 1 file changed, 409 insertions(+) create mode 100644 sources/tech/20161012 Introduction to FirewallD on CentOS.md diff --git a/sources/tech/20161012 Introduction to FirewallD on CentOS.md b/sources/tech/20161012 Introduction to FirewallD on CentOS.md new file mode 100644 index 0000000000..9beba99e39 --- /dev/null +++ b/sources/tech/20161012 Introduction to FirewallD on CentOS.md @@ -0,0 +1,409 @@ +Introduction to FirewallD on CentOS +============================================================ + + +[FirewallD][4] is frontend controller for iptables used to implement persistent network traffic rules. It provides command line and graphical interfaces and is available in the repositories of most Linux distributions. Working with FirewallD has two main differences compared to directly controlling iptables: + +1. FirewallD uses _zones_ and _services_ instead of chain and rules. +2. It manages rulesets dynamically, allowing updates without breaking existing sessions and connections. + +> FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is **not** an iptables replacement. While iptables commands are still available to FirewallD, it’s recommended to use only FirewallD commands with FirewallD. + +This guide will introduce you to FirewallD, its notions of zones and services, and show you some basic configuration steps. + +### Installing and Managing FirewallD + +FirewallD is included by default with CentOS 7 and Fedora 20+ but it’s inactive. Controlling it is the same as with other systemd units. + +1. To start the service and enable FirewallD on boot: + + + ``` + sudo systemctl start firewalld + sudo systemctl enable firewalld + ``` + | + + To stop and disable it: + + + ``` + sudo systemctl stop firewalld + sudo systemctl disable firewalld + ``` + + +2. Check the firewall status. The output should say either `running` or `not running`. + + + ``` + sudo firewall-cmd --state + ``` + + +3. To view the status of the FirewallD daemon: + + + ``` + sudo systemctl status firewalld + ``` + + + Example output: + + + ``` + firewalld.service - firewalld - dynamic firewall daemon + Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled) + Active: active (running) since Wed 2015-09-02 18:03:22 UTC; 1min 12s ago + Main PID: 11954 (firewalld) + CGroup: /system.slice/firewalld.service + └─11954 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid + ``` + + +4. To reload a FirewallD configuration: + + + ``` + sudo firewall-cmd --reload + ``` + + +### Configuring FirewallD + +Firewalld is configured with XML files. Except for very specific configurations, you won’t have to deal with them and **firewall-cmd** should be used instead. + +Configuration files are located in two directories: + +* `/usr/lib/FirewallD` holds default configurations like default zones and common services. Avoid updating them because those files will be overwritten by each firewalld package update. +* `/etc/firewalld` holds system configuration files. These files will overwrite a default configuration. + +### Configuration Sets + +Firewalld uses two _configuration sets_: Runtime and Permanent. Runtime configuration changes are not retained on reboot or upon restarting FirewallD whereas permanent changes are not applied to a running system. + +By default, `firewall-cmd` commands apply to runtime configuration but using the `--permanent` flag will establish a persistent configuration. To add and activate a permanent rule, you can use one of two methods. + +1. Add the rule to both the permanent and runtime sets. + + + ``` + sudo firewall-cmd --zone=public --add-service=http --permanent + sudo firewall-cmd --zone=public --add-service=http + ``` + + +2. Add the rule to the permanent set and reload FirewallD. + + + ``` + sudo firewall-cmd --zone=public --add-service=http --permanent + sudo firewall-cmd --reload + ``` + + + > The reload command drops all runtime configurations and applies a permanent configuration. Because firewalld manages the ruleset dynamically, it won’t break an existing connection and session. + +### Firewall Zones + +Zones are pre-constructed rulesets for various trust levels you would likely have for a given location or scenario (e.g. home, public, trusted, etc.). Different zones allow different network services and incoming traffic types while denying everything else. After enabling FirewallD for the first time, _Public_will be the default zone. + +Zones can also be applied to different network interfaces. For example, with separate interfaces for both an internal network and the Internet, you can allow DHCP on an internal zone but only HTTP and SSH on external zone. Any interface not explicitly set to a specific zone will be attached to the default zone. + +To view the default zone: + + +``` +sudo firewall-cmd --get-default-zone +``` + + +To change the default zone: + +``` +sudo firewall-cmd --set-default-zone=internal +``` + + +To see the zones used by your network interface(s): + +``` +sudo firewall-cmd --get-active-zones +``` + + +Example output: + + +``` +public + interfaces: eth0 +``` + + +To get all configurations for a specific zone: + + +``` +sudo firewall-cmd --zone=public --list-all +``` + + +Example output: + + +``` +public (default, active) + interfaces: ens160 + sources: + services: dhcpv6-client http ssh + ports: 12345/tcp + masquerade: no + forward-ports: + icmp-blocks: + rich rules: +``` + +To get all configurations for all zones: + +``` +sudo firewall-cmd --list-all-zones +``` + + +Example output: + + +``` +block + interfaces: + sources: + services: + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: + + ... + +work + interfaces: + sources: + services: dhcpv6-client ipp-client ssh + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: +``` + + +### Working with Services + +FirewallD can allow traffic based on predefined rules for specific network services. You can create your own custom serivce rules and add them to any zone. The configuration files for the default supported services are located at `/usr/lib/firewalld/services` and user-created service files would be in `/etc/firewalld/services`. + +To view the default available services: + + +``` +sudo firewall-cmd --get-services +``` + + +As an example, to enable or disable the HTTP service: + + +``` +sudo firewall-cmd --zone=public --add-service=http --permanent +sudo firewall-cmd --zone=public --remove-service=http --permanent +``` + + +### Allowing or Denying an Arbitrary Port/Protocol + +As an example: Allow or disable TCP traffic on port 12345. + + +``` +sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent +sudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent +``` + + +### Port Forwarding + +The example rule below forwards traffic from port 80 to port 12345 on **the same server**. + + +``` +sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345 +``` + + +To forward a port to **a different server**: + +1. Activate masquerade in the desired zone. + + + ``` + sudo firewall-cmd --zone=public --add-masquerade + ``` + + +2. Add the forward rule. This example forwards traffic from local port 80 to port 8080 on _a remote server_ located at the IP address: 123.456.78.9. + + + ``` + sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9 + ``` + + +To remove the rules, substitute `--add` with `--remove`. For example: + + +``` +sudo firewall-cmd --zone=public --remove-masquerade +``` + + +### Constructing a Ruleset with FirewallD + +As an example, here is how you would use FirewallD to assign basic rules to your Linode if you were running a web server. + +1. Assign the _dmz_ zone as the default zone to eth0\. Of the default zones offered, dmz (demilitarized zone) is the most desirable to start with for this application because it allows only SSH and ICMP. + + + ``` + sudo firewall-cmd --set-default-zone=dmz + sudo firewall-cmd --zone=dmz --add-interface=eth0 + ``` + + +2. Add permanent service rules for HTTP and HTTPS to the dmz zone: + + + ``` + sudo firewall-cmd --zone=dmz --add-service=http --permanent + sudo firewall-cmd --zone=dmz --add-service=https --permanent + ``` + + +3. Reload FirewallD so the rules take effect immediately: + + + ``` + sudo firewall-cmd --reload + ``` + + + If you now run `firewall-cmd --zone=dmz --list-all`, this should be the output: + + + + ``` + dmz (default) + interfaces: eth0 + sources: + services: http https ssh + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: + ``` + + + This tells us that the **dmz** zone is our **default** which applies to the **eth0 interface**, all network **sources** and **ports**. Incoming HTTP (port 80), HTTPS (port 443) and SSH (port 22) traffic is allowed and since there are no restrictions on IP versioning, this will apply to both IPv4 and IPv6. **Masquerading** and **port forwarding** are not allowed. We have no **ICMP blocks**, so ICMP traffic is fully allowed, and no **rich rules**. All outgoing traffic is allowed. + +### Advanced Configuration + +Services and ports are fine for basic configuration but may be too limiting for advanced scenarios. Rich Rules and Direct Interface allow you to add fully custom firewall rules to any zone for any port, protocol, address and action. + +### Rich Rules + +Rich rules syntax is extensive but fully documented in the [firewalld.richlanguage(5)][5] man page (or see `man firewalld.richlanguage` in your terminal). Use `--add-rich-rule`, `--list-rich-rules` and `--remove-rich-rule` with firewall-cmd command to manage them. + +Here are some common examples: + +Allow all IPv4 traffic from host 192.168.0.14. + + +``` +sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept' +``` + + +Deny IPv4 traffic over TCP from host 192.168.1.10 to port 22. + + +``` +sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject' +``` + + +Allow IPv4 traffic over TCP from host 10.1.0.3 to port 80, and forward it locally to port 6532. + + +``` +sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532' +``` + + +Forward all IPv4 traffic on port 80 to port 8080 on host 172.31.4.2 (masquerade should be active on the zone). + + +``` +sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2' +``` + + +To list your current Rich Rules: + + +``` +sudo firewall-cmd --list-rich-rules +``` + + +### iptables Direct Interface + +For the most advanced usage, or for iptables experts, FirewallD provides a direct interface that allows you to pass raw iptables commands to it. Direct Interface rules are not persistent unless the `--permanent` is used. + +To see all custom chains or rules added to FirewallD: + + +``` +firewall-cmd --direct --get-all-chains +firewall-cmd --direct --get-all-rules +``` + + +Discussing iptables syntax details goes beyond the scope of this guide. If you want to learn more, you can review our [iptables guide][6]. + +### More Information + +You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials. + +* [FirewallD Official Site][1] +* [RHEL 7 Security Guide: Introduction to FirewallD][2] +* [Fedora Wiki: FirewallD][3] + +-------------------------------------------------------------------------------- + +via: https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos + +作者:[ Linode][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos +[1]:http://www.firewalld.org/ +[2]:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Introduction_to_firewalld +[3]:https://fedoraproject.org/wiki/FirewallD +[4]:http://www.firewalld.org/ +[5]:https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.richlanguage.html +[6]:https://www.linode.com/docs/networking/firewalls/control-network-traffic-with-iptables From 088907fe497c6d9eaa4198bbb8ab7864b9eecf6b Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 11:57:29 +0800 Subject: [PATCH 075/181] translated --- ...n Email Server on Ubuntu Linux - Part 2.md | 55 +++++++++---------- 1 file changed, 27 insertions(+), 28 deletions(-) rename {sources => translated}/tech/Building an Email Server on Ubuntu Linux - Part 2.md (53%) diff --git a/sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md b/translated/tech/Building an Email Server on Ubuntu Linux - Part 2.md similarity index 53% rename from sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md rename to translated/tech/Building an Email Server on Ubuntu Linux - Part 2.md index 4c28c0bad3..62f0d8207b 100644 --- a/sources/tech/Building an Email Server on Ubuntu Linux - Part 2.md +++ b/translated/tech/Building an Email Server on Ubuntu Linux - Part 2.md @@ -1,29 +1,27 @@ -translating---geekpi - -Building an Email Server on Ubuntu Linux, Part 2 +在Ubuntu上构建一台Email服务器(二) ============================================================ ### [dovecot-email.jpg][4] ![Dovecot email](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/dovecot-email.jpg?itok=tY4veggw "Dovecot email") -Part 2 in this tutorial shows how to use Dovecot to move messages off your Postfix server and into your users' email inboxes.[Creative Commons Zero][2]Pixabay +本教程的第2部分将介绍如何使用Dovecot将邮件从Postfix服务器移动到用户的收件箱。以[Creative Commons Zero][2]Pixabay方式授权发布 -In [part 1][5], we installed and tested the Postfix SMTP server. Postfix, or any SMTP server, isn't a complete mail server because all it does is move messages between SMTP servers. We need Dovecot to move messages off your Postfix server and into your users' email inboxes. +在[第一部分][5]中,我们安装并测试了Postfix SMTP服务器。Postfix或任何SMTP服务器都不是一个完整的邮件服务器,因为它所做的是在SMTP服务器之间移动邮件。我们需要Dovecot将邮件从Postfix服务器移动到用户的收件箱中。 -Dovecot supports the two standard mail protocols, IMAP (Internet Message Access Protocol) and POP3 (Post Office Protocol). An IMAP server retains all messages on the server. Your users have the option to download messages to their computers or access them only on the server. IMAP is convenient for users who have multiple machines. It's more work for you because you have to ensure that your server is always available, and IMAP servers require a lot of storage and memory. +Dovecot支持两种标准邮件协议:IMAP(Internet邮件访问协议)和POP3(邮局协议)。 IMAP服务器保留服务器上的所有邮件。您的用户可以选择将邮件下载到计算机或仅在服务器上访问它们。 IMAP对于有多台机器的用户是方便的。但对你而言会有更多的工作,因为你必须确保你的服务器始终可用,而且IMAP服务器需要大量的存储和内存。 -POP3 is an older protocol. A POP3 server can serve many more users than an IMAP server because messages are downloaded to your users' computers. Most mail clients have the option to leave messages on the server for a certain number of days, so POP3 can behave somewhat like IMAP. But it's not IMAP, and when you do this messages are often downloaded multiple times or deleted unexpectedly. +POP3是较旧的协议。POP3服务器可以比IMAP服务器服务更多的用户,因为邮件会下载到用户的计算机。大多数邮件客户端可以选择在服务器上保留一定天数的邮件,因此POP3的行为有点像IMAP。但它不是IMAP,当你像IMAP那样做那么常常会下载多次或意外删除。 -### Install Dovecot +### 安装 Dovecot -Fire up your trusty Ubuntu system and install Dovecot: +启动你信任的Ubuntu系统并安装Dovecot: ``` $ sudo apt-get install dovecot-imapd dovecot-pop3d ``` -It installs with a working configuration and automatically starts after installation, which you can confirm with `ps ax | grep dovecot`: +它会在安装可用的配置并在完成后自动启动,你可以用`ps ax | grep dovecot`确认: ``` @@ -33,7 +31,7 @@ $ ps ax | grep dovecot 15991 ? S 0:00 dovecot/log ``` -Open your main Postfix configuration file, `/etc/postfix/main.cf`, and make sure it is configured for maildirs and not mbox mail stores; mbox is single giant file for each user, while maildir gives each message its own file. Lots of little files are more stable and easier to manage than giant bloaty files. Add these two lines; the second line tells Postfix you want maildir format, and to create a `.Mail` directory for every user in their home directories. You can name this directory anything you want, it doesn't have to be `.Mail`: +打开你的Postfix配置文件`/etc/postfix/main.cf`,确保配置了maildirs而不是mbox邮件存储,mbox是对于每个用户的大文件,而maildir是每条消息都有一个文件。大量的小文件比一个庞大的文件更稳定且易于管理。下面添加两行,第二行告诉Postfix你需要maildir格式,并且在每个用户的家目录下创建一个`.Mail`目录。你可以取任何名字,不一定要是`.Mail`: ``` @@ -41,14 +39,14 @@ mail_spool_directory = /var/mail home_mailbox = .Mail/ ``` -Now tweak your Dovecot configuration. First rename the original `dovecot.conf` file to get it out of the way, because it calls a host of `conf.d` files and it is better to keep things simple while you're learning: +现在调整你的Dovecot配置。首先把原始的`dovecot.conf`文件重命名,因为它会调用`conf.d`中的文件来让事情简单些: ``` $ sudo mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot-oldconf ``` -Now create a clean new `/etc/dovecot/dovecot.conf` with these contents: +现在创建一个新的`/etc/dovecot/dovecot.conf`: ``` @@ -76,7 +74,7 @@ userdb { } ``` -Note that `mail_location = maildir` must match the `home_mailbox` parameter in `main.cf`. Save your changes and reload both Postfix and Dovecot's configurations: +注意`mail_location = maildir` 必须和`main.cf`中的`home_mailbox`参数匹配。保存你的更改并重新加载Postfix和Dovecot配置: ``` @@ -84,9 +82,9 @@ $ sudo postfix reload $ sudo dovecot reload ``` -### Fast Way to Dump Configurations +### 快速导出配置 -Use these commands to quickly review your Postfix and Dovecot configurations: +使用下面的命令来查看你的Postfix和Dovecot配置: ``` @@ -94,9 +92,9 @@ $ postconf -n $ doveconf -n ``` -### Test Dovecot +### 测试 Dovecot -Now let's put telnet to work again, and send ourselves a test message. The lines in bold are the commands that you type. `studio` is my server's hostname, so of course you must use your own: +现在再次启动telnet,并且给自己发送一条测试消息。粗体显示的是你输入的命令。`studio`是我服务器的主机名,因此你必须用自己的: ``` @@ -134,7 +132,7 @@ quit Connection closed by foreign host. ``` -Now query Dovecot to fetch your new message. Log in using your Linux username and password: +现在请求Dovecot来取回你的新消息,使用你的Linux用户名和密码登录: ``` @@ -175,7 +173,7 @@ quit Connection closed by foreign host. ``` -Take a moment to compare the message entered in the first example, and the message received in the second example. It is easy to spoof the return address and date, but Postfix is not fooled. Most mail clients default to displaying a minimal set of headers, but you need to read the full headers to see the true backtrace. +花一点时间比较第一个例子中输入的消息和第二个例子中接收的消息。 它很容易欺骗返回地址和日期,但Postfix不会这样。大多数邮件客户端默认显示一个最小的标头集,但是你需要读取完整的标头以查看真实的回溯。 You can also read your messages by looking in your `~/Mail/cur` directory. They are plain text. Mine has two test messages: @@ -186,9 +184,9 @@ $ ls .Mail/cur/ 1480555224.V806I28e000eM41463.studio:2,S ``` -### Testing IMAP +### 测试 IMAP -Our Dovecot configuration enables both POP3 and IMAP, so let's use telnet to test IMAP. +我们Dovecot同时启用了POP3和IMAP,因此我们使用telnet测试IMAP。 ``` @@ -223,26 +221,27 @@ A4 OK Logout completed. Connection closed by foreign host ``` -### Thunderbird Mail Client +### Thunderbird邮件客户端 + +图1中的屏幕截图显示了我局域网上另一台主机上的图形邮件客户端中的邮件。 -This screenshot in Figure 1 shows what my messages look like in a graphical mail client on another host on my LAN. ### [thunderbird-mail.png][3] ![thunderbird mail](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/thunderbird-mail.png?itok=IkWK5Ti_ "thunderbird mail") -Figure 1: Thunderbird mail.[Used with permission][1] +图1: Thunderbird mail.[Used with permission][1] -At this point, you have a working IMAP and POP3 mail server, and you know how to test your server. Your users will choose which protocol they want to use when they set up their mail clients. If you want to support only one mail protocol, then name just the one in your Dovecot configuration. +此时,你已有一个工作的IMAP和POP3邮件服务器,并且你也知道该如何测试你的服务器。你的用户将在他们设置邮件客户端时选择要使用的协议。如果您只想支持一个邮件协议,那么只需要命名您的Dovecot配置中的一个。 -However, you are far from finished. This is a very simple, wide-open setup with no encryption. It also works only for users on the same system as your mail server. This is not scalable and has some security risks, such as no protection for passwords. Come back [next week ][6]to learn how to create mail users that are separate from system users, and how to add encryption. +然而,这还远远没有完成。这是一个非常简单、没有加密的开放的安装。它也只适用于与邮件服务器在同一系统上的用户。这是不可扩展的,并具有一些安全风险,例如没有密码保护。 我们会在[下周][6]了解如何创建与系统用户分开的邮件用户,以及如何添加加密。 -------------------------------------------------------------------------------- via: https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-part-2 作者:[ CARLA SCHRODER][a] -译者:[译者ID](https://github.com/译者ID) +译者:[geekpi](https://github.com/geekpi) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From 54150a0d8b2b468f7dd0f076a31d0d6f7b15a48b Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 11:58:46 +0800 Subject: [PATCH 076/181] =?UTF-8?q?20161229-9=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...01 How to Configure a Firewall with UFW.md | 252 ++++++++++++++++++ 1 file changed, 252 insertions(+) create mode 100644 sources/tech/20161201 How to Configure a Firewall with UFW.md diff --git a/sources/tech/20161201 How to Configure a Firewall with UFW.md b/sources/tech/20161201 How to Configure a Firewall with UFW.md new file mode 100644 index 0000000000..91d8362e7d --- /dev/null +++ b/sources/tech/20161201 How to Configure a Firewall with UFW.md @@ -0,0 +1,252 @@ +How to Configure a Firewall with UFW +============================================================ + +UFW, or _uncomplicated firewall_, is a frontend for managing firewall rules Arch Linux, Debian or Ubuntu. UFW is used through the command line (although it has GUIs available), and aims to make firewall configuration easy (or, uncomplicated). + + ![How to Configure a Firewall with UFW](https://www.linode.com/docs/assets/ufw_tg.png "How to Configure a Firewall with UFW") + +### Before You Begin + +1. Familiarize yourself with our [Getting Started][1] guide and complete the steps for setting your Linode’s hostname and timezone. + +2. This guide will use `sudo` wherever possible. Complete the sections of our [Securing Your Server][2]guide to create a standard user account, harden SSH access and remove unnecessary network services. Do **not** follow the Creating a Firewall section–this guide is an introduction to using UFW, which is a separate method of controlling a firewall than iptables commands. + +3. Update your system. + + **Arch Linux** + + ``` + sudo pacman -Syu + ``` + + + **Debian / Ubuntu** + + ``` + sudo apt-get update && sudo apt-get upgrade + ``` + + +### Install UFW + +UFW is included in Ubuntu by default but must be installed in Arch and Debian. Debian will start UFW’s systemd unit automatically and enable it to start on reboots, but Arch will not. _This is not the same as telling UFW to enable the firewall rules_, as enabling UFW with systemd or upstart only tells the init system to switch on the UFW daemon. + +By default, UFW’s rulesets are blank so it is not enforcing any firewall rules–even when the daemon is running. Enforcing your firewall ruleset is covered [further down the page][3]. + +### Arch Linux + +1. Install UFW: + + ``` + sudo pacman -S ufw + ``` + + +2. Start and enable UFW’s systemd unit: + + ``` + sudo systemctl start ufw + sudo systemctl enable ufw + ``` + +### Debian / Ubuntu + +1. Install UFW + + ``` + sudo apt-get install ufw + ``` + + +### Use UFW to Manage Firewall Rules + +### Set Default Rules + +Most systems will need a only a small number of ports open for incoming connections, and all remaining ports closed. To start with an easy basis of rules, the `ufw default` command can be used to set the default response to incoming and outgoing connections. To deny all incoming and allow all outgoing connections, run: + +``` +sudo ufw default allow outgoing +sudo ufw default deny incoming +``` + + +The `ufw default` command also allows for the use of the `reject` parameter. + +> Configuring a default reject or deny rule can lock you out of your Linode unless explicit allow rules are in place. Ensure that you have configured allow rules for SSH and other critical services as per the section below before applying default deny or reject rules. + +### Add Rules + +Rules can be added in two ways: By denoting the **port number** or by using the **service name**. + +For example, to allow both incoming and outgoing connections on port 22 for SSH, you can run: + +``` +sudo ufw allow ssh +``` + +You can also run: + +``` +sudo ufw allow 22 +``` + +Similarly, to **deny** traffic on a certain port (in this example, 111) you would only have to run: + +``` +sudo ufw deny 111 +``` + +To farther fine-tune your rules, you can also allow packets based on TCP or UDP. The following will allow TCP packets on port 80: + + +``` +sudo ufw allow 80/tcp +sudo ufw allow http/tcp +``` + +Whereas this will allow UDP packets on 1725: + + +``` +sudo ufw allow 1725/udp +``` + + +### Advanced Rules + +Along with allowing or denying based solely on port, UFW also allows you to allow/block by IP addresses, subnets, and a IP address/subnet/port combinations. + +To allow connections from an IP address: + +``` +sudo ufw allow from 123.45.67.89 +``` + + +To allow connections from a specific subnet: + +``` +sudo ufw allow from 123.45.67.89/24 +``` + +To allow a specific IP address/port combination: + +``` +sudo ufw allow from 123.45.67.89 to any port 22 proto tcp +``` + + +`proto tcp` can be removed or switched to `proto udp` depending upon your needs, and all instances of `allow` can be changed to `deny` as needed. + +### Remove Rules + +To remove a rule, add `delete` before the rule implementation. If you no longer wished to allow HTTP traffic, you could run: + + +``` +sudo ufw delete allow 80 +``` + +Deleting also allows the use of service names. + +### Edit UFW’s Configuration Files + +Although simple rules can be added through the command line, there may be a time when more advanced or specific rules need to be added or removed. Prior to running the rules input through the terminal, UFW will run a file, `before.rules`, that allows loopback, ping, and DHCP. To add to alter these rules edit the `/etc/ufw/before.rules` file. A `before6.rules` file is also located in the same directory for IPv6. + +An `after.rule` and an `after6.rule` file also exists to add any rules that would need to be added after UFW runs your command-line-added rules. + +An additional configuration file is located at `/etc/default/ufw`. From here IPv6 can be disabled or enabled, default rules can be set, and UFW can be set to manage built-in firewall chains. + +### UFW Status + +You can check the status of UFW at any time with the command: `sudo ufw status`. This will show a list of all rules, and whether or not UFW is active: + +``` +Status: active + +To Action From +-- ------ ---- +22 ALLOW Anywhere +80/tcp ALLOW Anywhere +443 ALLOW Anywhere +22 (v6) ALLOW Anywhere (v6) +80/tcp (v6) ALLOW Anywhere (v6) +443 (v6) ALLOW Anywhere (v6) +``` + +### Enable the Firewall + +With your chosen rules in place, your initial run of `ufw status` will probably output `Status: inactive`. To enable UFW and enforce your firewall rules: + +``` +sudo ufw enable +``` + +Similarly, to disable UFW’s rules: + + +``` +sudo ufw disable +``` + +> This still leaves the UFW service running and enabled on reboots. + +### Logging + +You can enable logging with the command: + +``` +sudo ufw logging on +``` + +Log levels can be set by running `sudo ufw logging low|medium|high`, selecting either `low`, `medium`, or `high` from the list. The default setting is `low`. + +A normal log entry will resemble the following, and will be located at `/var/logs/ufw`: + +``` +Sep 16 15:08:14 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=123.45.67.89 DST=987.65.43.21 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=8475 PROTO=TCP SPT=48247 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0 +``` + + +The initial values list the date, time, and hostname of your Linode. Additional important values include: + +* **[UFW BLOCK]:** This location is where the description of the logged event will be located. In this instance, it blocked a connection. + +* **IN:** If this contains a value, then the event was incoming + +* **OUT:** If this contain a value, then the event was outgoing + +* **MAC:** A combination of the destination and source MAC addresses + +* **SRC:** The IP of the packet source + +* **DST:** The IP of the packet destination + +* **LEN:** Packet length + +* **TTL:** The packet TTL, or _time to live_. How long it will bounce between routers until it expires, if no destination is found. + +* **PROTO:** The packet’s protocal + +* **SPT:** The source port of the package + +* **DPT:** The destination port of the package + +* **WINDOW:** The size of the packet the sender can receive + +* **SYN URGP:** Indicated if a three-way handshake is required. `0` means it is not. + +-------------------------------------------------------------------------------- + +via: https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw + +作者:[Linode ][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw +[1]:https://www.linode.com/docs/getting-started +[2]:https://www.linode.com/docs/security/securing-your-server +[3]:http://localhost:4567/docs/security/firewalls/configure-firewall-with-ufw#enable-the-firewall From 904d3c85639e31a86e178261b95f554a35fdf0be Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 11:59:39 +0800 Subject: [PATCH 077/181] =?UTF-8?q?20161229-7=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...nization.md => 20161201 Using the NTP time synchronization.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sources/tech/{Using the NTP time synchronization.md => 20161201 Using the NTP time synchronization.md} (100%) diff --git a/sources/tech/Using the NTP time synchronization.md b/sources/tech/20161201 Using the NTP time synchronization.md similarity index 100% rename from sources/tech/Using the NTP time synchronization.md rename to sources/tech/20161201 Using the NTP time synchronization.md From 2f86591812be959b504fe8a3bdc063dc3bf82733 Mon Sep 17 00:00:00 2001 From: xiaojin Date: Thu, 29 Dec 2016 12:00:58 +0800 Subject: [PATCH 078/181] =?UTF-8?q?Update=2020161205=20Manage=20Samba4=20A?= =?UTF-8?q?ctive=20Directory=20Infrastructure=20from=20Windows10=20via=20R?= =?UTF-8?q?SAT=20=E2=80=93=20Part=203.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 申请翻译 --- ...Directory Infrastructure from Windows10 via RSAT – Part 3.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md b/sources/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md index cd00ef3c26..cf1b14118d 100644 --- a/sources/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md +++ b/sources/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md @@ -1,3 +1,5 @@ +Rusking translating + Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3 ============================================================ From bd5d72172b15058293b5b92e171b196a59472bd2 Mon Sep 17 00:00:00 2001 From: xiaojin Date: Thu, 29 Dec 2016 12:01:18 +0800 Subject: [PATCH 079/181] =?UTF-8?q?Update=2020161207=20Manage=20Samba4=20A?= =?UTF-8?q?D=20Domain=20Controller=20DNS=20and=20Group=20Policy=20from=20W?= =?UTF-8?q?indows=20=E2=80=93=20Part=204.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 申请翻译 --- ...ain Controller DNS and Group Policy from Windows – Part 4.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md b/sources/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md index d91b2915b2..85ea330a5d 100644 --- a/sources/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md +++ b/sources/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md @@ -1,3 +1,5 @@ +Rusking translating + Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4 ============================================================ From de17a460b4df97ec6cef02e24e7f69e9f37ebf54 Mon Sep 17 00:00:00 2001 From: wxy Date: Thu, 29 Dec 2016 12:42:46 +0800 Subject: [PATCH 080/181] PROOF:20160923 PyCharm - The Best Linux Python IDE @ucasFL --- ...923 PyCharm - The Best Linux Python IDE.md | 31 +++++++++---------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/translated/tech/20160923 PyCharm - The Best Linux Python IDE.md b/translated/tech/20160923 PyCharm - The Best Linux Python IDE.md index 7c7aaa5418..a21321caa2 100644 --- a/translated/tech/20160923 PyCharm - The Best Linux Python IDE.md +++ b/translated/tech/20160923 PyCharm - The Best Linux Python IDE.md @@ -1,4 +1,4 @@ -PyCharm - Linux 下最好的 Python IDE(集成开发环境) +PyCharm - Linux 下最好的 Python IDE ========= ![](https://fthmb.tqn.com/AVEbzYN3BPH_8cGYkPflIx58-XE=/768x0/filters:no_upscale()/about/pycharm2-57e2d5ee5f9b586c352c7493.png) @@ -12,9 +12,7 @@ PyCharm 是由 [Jetbrains][3] 开发的一个编辑器和调试器,[Jetbrains] ### 如何安装 PyCharm -我已经写了一篇关于如何获取 PyCharm 的指南,下载,解压文件,然后运行。 - -[点击链接][4]. +我已经[写了一篇][4]关于如何获取 PyCharm 的指南,下载、解压文件,然后运行。 ### 欢迎界面 @@ -24,7 +22,7 @@ PyCharm 是由 [Jetbrains][3] 开发的一个编辑器和调试器,[Jetbrains] * 创建新项目 * 打开项目 -* 版本控制检查 +* 从版本控制仓库检出 还有一个配置设置选项,你可以通过它设置默认 Python 版本或者一些其他设置。 @@ -46,7 +44,7 @@ PyCharm 是由 [Jetbrains][3] 开发的一个编辑器和调试器,[Jetbrains] * Twitter Bootstrap * Web Starter Kit -这不是一个编程教程,所以我没必要说明这些项目类型是什么。如果你想创建一个可以运行在 Windows、Linux 和 Mac 上的简单桌面运行程序,那么你可以选择 Pure Python 项目,然后使用 QT 库来开发图形应用程序,这样的图形应用程序无论在任何操作系统上运行,看起来都像是原生的,就像是在该系统上开发的一样。 +这不是一个编程教程,所以我没必要说明这些项目类型是什么。如果你想创建一个可以运行在 Windows、Linux 和 Mac 上的简单桌面运行程序,那么你可以选择 Pure Python 项目,然后使用 Qt 库来开发图形应用程序,这样的图形应用程序无论在何种操作系统上运行,看起来都像是原生的,就像是在该系统上开发的一样。 选择了项目类型以后,你需要输入一个项目名字并且选择一个 Python 版本来进行开发。 @@ -58,15 +56,15 @@ PyCharm 是由 [Jetbrains][3] 开发的一个编辑器和调试器,[Jetbrains] PyCharm 提供了从各种在线资源查看项目源码的选项,在线资源包括 [GitHub][5]、[CVS][6]、Git、[Mercurial][7] 以及 [Subversion][8]。 -### PyCharm IDE(集成开发环境) +### PyCharm IDE(集成开发环境) -PyCharm IDE 可以通过顶部的一个菜单打开,在这个菜单下面你可以为每个打开的项目‘贴上’标签。 +PyCharm IDE 中可以打开顶部的菜单,在这个菜单下方你可以看到每个打开的项目的标签。 屏幕右方是调试选项区,可以单步运行代码。 -左面板有一系列项目文件和外部库。 +左侧面板有项目文件和外部库的列表。 -如果想在项目中新建一个文件,你可以‘右击’项目名字,然后选择‘新建’。然后你可以在下面这些文件类型中选择一种添加到项目中: +如果想在项目中新建一个文件,你可以鼠标右击项目的名字,然后选择‘新建’。然后你可以在下面这些文件类型中选择一种添加到项目中: * 文件 * 目录 @@ -101,13 +99,12 @@ PyCharm IDE 可以通过顶部的一个菜单打开,在这个菜单下面你 当你运行到一行代码的时候,你可以对这行代码中出现的变量进行监视,这样当变量值改变的时候你能够看到。 -另一个不错的选择是运行检查器覆盖的代码。在过去这些年里,编程界发生了很大的变化,现在,对于开发人员来说,进行测试驱动开发是很常见的,这样他们可以检查对程序所做的每一个改变,确保不会破坏系统的另一部分。 +另一个不错的选择是使用覆盖检查器运行代码。在过去这些年里,编程界发生了很大的变化,现在,对于开发人员来说,进行测试驱动开发是很常见的,这样他们可以检查对程序所做的每一个改变,确保不会破坏系统的另一部分。 -检查器能够很好的帮助你运行程序,执行一些测试,运行结束以后,它会以百分比的形式告诉你测试运行所覆盖的代码有多少。 +覆盖检查器能够很好的帮助你运行程序,执行一些测试,运行结束以后,它会以百分比的形式告诉你测试运行所覆盖的代码有多少。 还有一个工具可以显示‘类函数’或‘类’的名字,以及一个项目被调用的次数和在一个特定代码片段运行所花费的时间。 - ### 代码重构 PyCharm 一个很强大的特性是代码重构选项。 @@ -122,7 +119,7 @@ PyCharm 一个很强大的特性是代码重构选项。 你不必遵循 PyCharm 的所有规则。这些规则大部分只是好的编码准则,与你的代码是否能够正确运行无关。 -代码菜单还有其他重构选项。比如,你可以进行代码清理以及检查文件或项目问题。 +代码菜单还有其它的重构选项。比如,你可以进行代码清理以及检查文件或项目问题。 ### 总结 @@ -130,11 +127,11 @@ PyCharm 是 Linux 系统上开发 Python 代码的一个优秀编辑器,并且 -------------------------------------------------------------------------------- -via: https://www.lifewire.com/how-to-install-the-pycharm-python-ide-in-linux-4091033 +via: https://www.lifewire.com/pycharm-the-best-linux-python-ide-4091045 -作者:[Gary Newell ][a] +作者:[Gary Newell][a] 译者:[ucasFL](https://github.com/ucasFL) -校对:[校对者ID](https://github.com/校对者ID) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 From 266798ecf9ecdf2d54d9b2dd0e91b6853b06b0c9 Mon Sep 17 00:00:00 2001 From: wxy Date: Thu, 29 Dec 2016 12:43:02 +0800 Subject: [PATCH 081/181] PUB:20160923 PyCharm - The Best Linux Python IDE @ucasFL --- .../20160923 PyCharm - The Best Linux Python IDE.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20160923 PyCharm - The Best Linux Python IDE.md (100%) diff --git a/translated/tech/20160923 PyCharm - The Best Linux Python IDE.md b/published/20160923 PyCharm - The Best Linux Python IDE.md similarity index 100% rename from translated/tech/20160923 PyCharm - The Best Linux Python IDE.md rename to published/20160923 PyCharm - The Best Linux Python IDE.md From 6b7ea1bab0b6bdae5a7cc2c26f76dac7032d8ec9 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 12:50:51 +0800 Subject: [PATCH 082/181] translating --- .../tech/Building an Email Server on Ubuntu Linux - Part 3.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/Building an Email Server on Ubuntu Linux - Part 3.md b/sources/tech/Building an Email Server on Ubuntu Linux - Part 3.md index aeee0b4273..0c7858a8b0 100644 --- a/sources/tech/Building an Email Server on Ubuntu Linux - Part 3.md +++ b/sources/tech/Building an Email Server on Ubuntu Linux - Part 3.md @@ -1,3 +1,5 @@ +translating---geekpi + Building an Email Server on Ubuntu Linux, Part 3 ============================================================ From 2ce30c24f56573272209e552e332f9537958795a Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 13:50:22 +0800 Subject: [PATCH 083/181] =?UTF-8?q?=E9=87=8D=E5=A4=8D=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ucture from Linux Command Line – Part 2.md | 394 ------------------ 1 file changed, 394 deletions(-) delete mode 100644 sources/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md diff --git a/sources/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md b/sources/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md deleted file mode 100644 index 05244e22db..0000000000 --- a/sources/tech/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md +++ /dev/null @@ -1,394 +0,0 @@ -How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2 -============================================================ - -This tutorial will cover [some basic daily commands][4] you need to use in order to manage Samba4 AD Domain Controller infrastructure, such as adding, removing, disabling or listing users and groups. - -We’ll also take a look on how to manage domain security policy and how to bind AD users to local PAM authentication in order for AD users to be able to perform local logins on Linux Domain Controller. - -#### Requirements - -1. [Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1][1] -2. [Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3][2] -3. [Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4][3] - -### Step 1: Manage Samba AD DC from Command Line - -1. Samba AD DC can be managed through samba-tool command line utility which offers a great interface for administrating your domain. - -With the help of samba-tool interface you can directly manage domain users and groups, domain Group Policy, domain sites, DNS services, domain replication and other critical domain functions. - -To review the entire functionality of samba-tool just type the command with root privileges without any option or parameter. - -``` -# samba-tool -h -``` -[ - ![samba-tool - Manage Samba Administration Tool](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Administration-Tool.png) -][5] - -samba-tool – Manage Samba Administration Tool - -2. Now, let’s start using samba-tool utility to administer Samba4 Active Directory and manage our users. - -In order to create a user on AD use the following command: - -``` -# samba-tool user add your_domain_user -``` - -To add a user with several important fields required by AD, use the following syntax: - -``` ---------- review all options --------- -# samba-tool user add -h -# samba-tool user add your_domain_user --given-name=your_name --surname=your_username --mail-address=your_domain_user@tecmint.lan --login-shell=/bin/bash -``` -[ - ![Create User on Samba AD](http://www.tecmint.com/wp-content/uploads/2016/11/Create-User-on-Samba-AD.png) -][6] - -Create User on Samba AD - -3. A listing of all samba AD domain users can be obtained by issuing the following command: - -``` -# samba-tool user list -``` -[ - ![List Samba AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-AD-Users.png) -][7] - -List Samba AD Users - -4. To delete a samba AD domain user use the below syntax: - -``` -# samba-tool user delete your_domain_user -``` - -5. Reset a samba domain user password by executing the below command: - -``` -# samba-tool user setpassword your_domain_user -``` - -6. In order to disable or enable an samba AD User account use the below command: - -``` -# samba-tool user disable your_domain_user -# samba-tool user enable your_domain_user -``` - -7. Likewise, samba groups can be managed with the following command syntax: - -``` ---------- review all options --------- -# samba-tool group add –h -# samba-tool group add your_domain_group -``` - -8. Delete a samba domain group by issuing the below command: - -``` -# samba-tool group delete your_domain_group -``` - -9. To display all samba domain groups run the following command: - -``` -# samba-tool group list -``` - -10. To list all the samba domain members in a specific group use the command: - -``` -# samba-tool group listmembers "your_domain group" -``` -[ - ![List Samba Domain Members of Group](http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-Domain-Members-of-Group.png) -][8] - -List Samba Domain Members of Group - -11. Adding/Removing a member from a samba domain group can be done by issuing one of the following commands: - -``` -# samba-tool group addmembers your_domain_group your_domain_user -# samba-tool group remove members your_domain_group your_domain_user -``` - -12. As mentioned earlier, samba-tool command line interface can also be used to manage your samba domain policy and security. - -To review your samba domain password settings use the below command: - -``` -# samba-tool domain passwordsettings show -``` -[ - ![Check Samba Domain Password](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Domain-Password.png) -][9] - -Check Samba Domain Password - -13. In order to modify samba domain password policy, such as the password complexity level, password ageing, length, how many old password to remember and other security features required for a Domain Controller use the below screenshot as a guide. - -``` ----------- List all command options ---------- -# samba-tool domain passwordsettings -h -``` -[ - ![Manage Samba Domain Password Settings](http://www.tecmint.com/wp-content/uploads/2016/11/Manage-Samba-Domain-Password-Settings.png) -][10] - -Manage Samba Domain Password Settings - -Never use the password policy rules as illustrated above on a production environment. The above settings are used just for demonstration purposes. - -### Step 2: Samba Local Authentication Using Active Directory Accounts - -14. By default, AD users cannot perform local logins on the Linux system outside Samba AD DCenvironment. - -In order to login on the system with an Active Directory account you need to make the following changes on your Linux system environment and modify Samba4 AD DC. - -First, open samba main configuration file and add the below lines, if missing, as illustrated on the below screenshot. - -``` -$ sudo nano /etc/samba/smb.conf -``` - -Make sure the following statements appear on the configuration file: - -``` -winbind enum users = yes -winbind enum groups = yes -``` -[ - ![Samba Authentication Using Active Directory User Accounts](http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Authentication-Using-Active-Directory-Accounts.png) -][11] - -Samba Authentication Using Active Directory User Accounts - -15. After you’ve made the changes, use testparm utility to make sure no errors are found on samba configuration file and restart samba daemons by issuing the below command. - -``` -$ testparm -$ sudo systemctl restart samba-ad-dc.service -``` -[ - ![Check Samba Configuration for Errors](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Configuration-for-Errors.png) -][12] - -Check Samba Configuration for Errors - -16. Next, we need to modify local PAM configuration files in order for Samba4 Active Directory accounts to be able to authenticate and open a session on the local system and create a home directory for users at first login. - -Use the pam-auth-update command to open PAM configuration prompt and make sure you enable all PAM profiles using `[space]` key as illustrated on the below screenshot. - -When finished hit `[Tab]` key to move to Ok and apply changes. - -``` -$ sudo pam-auth-update -``` -[ - ![Configure PAM for Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/11/PAM-Configuration-for-Samba4-AD.png) -][13] - -Configure PAM for Samba4 AD - -[ - ![Enable PAM Authentication Module for Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/Enable-PAM-Authentication-Module-for-Samba4-AD.png) -][14] - -Enable PAM Authentication Module for Samba4 AD Users - -17. Now, open /etc/nsswitch.conf file with a text editor and add winbind statement at the end of the password and group lines as illustrated on the below screenshot. - -``` -$ sudo vi /etc/nsswitch.conf -``` -[ - ![Add Windbind Service Switch for Samba](http://www.tecmint.com/wp-content/uploads/2016/11/Add-Windbind-Service-Switch-for-Samba.png) -][15] - -Add Windbind Service Switch for Samba - -18. Finally, edit /etc/pam.d/common-password file, search for the below line as illustrated on the below screenshot and remove the use_authtok statement. - -This setting assures that Active Directory users can change their password from command line while authenticated in Linux. With this setting on, AD users authenticated locally on Linux cannot change their password from console. - -``` -password [success=1 default=ignore] pam_winbind.so try_first_pass -``` -[ - ![Allow Samba AD Users to Change Passwords](http://www.tecmint.com/wp-content/uploads/2016/11/Allow-Samba-AD-Users-to-Change-Password.png) -][16] - -Allow Samba AD Users to Change Passwords - -Remove use_authtok option each time PAM updates are installed and applied to PAM modules or each time you execute pam-auth-update command. - -19. Samba4 binaries comes with a winbindd daemon built-in and enabled by default. - -For this reason you’re no longer required to separately enable and run winbind daemon provided by winbind package from official Ubuntu repositories. - -In case the old and deprecated winbind service is started on the system make sure you disable it and stop the service by issuing the below commands: - -``` -$ sudo systemctl disable winbind.service -$ sudo systemctl stop winbind.service -``` - -Although, we no longer need to run old winbind daemon, we still need to install Winbind package from repositories in order to install and use wbinfo tool. - -Wbinfo utility can be used to query Active Directory users and groups from winbindd daemon point of view. - -The following commands illustrates how to query AD users and groups using wbinfo. - -``` -$ wbinfo -g -$ wbinfo -u -$ wbinfo -i your_domain_user -``` -[ - ![Check Samba4 AD Information ](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Information-of-Samba4-AD.png) -][17] - -Check Samba4 AD Information - -[ - ![Check Samba4 AD User Info](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Info.png) -][18] - -Check Samba4 AD User Info - -20. Apart from wbinfo utility you can also use getent command line utility to query Active Directory database from Name Service Switch libraries which are represented in /etc/nsswitch.conf file. - -Pipe getent command through a grep filter in order to narrow the results regarding just your AD realm user or group database. - -``` -# getent passwd | grep TECMINT -# getent group | grep TECMINT -``` -[ - ![Get Samba4 AD Details](http://www.tecmint.com/wp-content/uploads/2016/11/Get-Samba4-AD-Details.png) -][19] - -Get Samba4 AD Details - -### Step 3: Login in Linux with an Active Directory User - -21. In order to authenticate on the system with a Samba4 AD user, just use the AD username parameter after `su -` command. - -At the first login a message will be displayed on the console which notifies you that a home directory has been created on `/home/$DOMAIN/` system path with the mane of your AD username. - -Use id command to display extra information about the authenticated user. - -``` -# su - your_ad_user -$ id -$ exit -``` -[ - ![Check Samba4 AD User Authentication on Linux](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Authentication-on-Linux.png) -][20] - -Check Samba4 AD User Authentication on Linux - -22. To change the password for an authenticated AD user type passwd command in console after you have successfully logged into the system. - -``` -$ su - your_ad_user -$ passwd -``` -[ - ![Change Samba4 AD User Password](http://www.tecmint.com/wp-content/uploads/2016/11/Change-Samba4-AD-User-Password.png) -][21] - -Change Samba4 AD User Password - -23. By default, Active Directory users are not granted with root privileges in order to perform administrative tasks on Linux. - -To grant root powers to an AD user you must add the username to the local sudo group by issuing the below command. - -Make sure you enclose the realm, slash and AD username with single ASCII quotes. - -``` -# usermod -aG sudo 'DOMAIN\your_domain_user' -``` - -To test if AD user has root privileges on the local system, login and run a command, such as apt-get update, with sudo permissions. - -``` -# su - tecmint_user -$ sudo apt-get update -``` -[ - ![Grant sudo Permission to Samba4 AD User](http://www.tecmint.com/wp-content/uploads/2016/11/Grant-sudo-Permission-to-Samba4-AD-User.png) -][22] - -Grant sudo Permission to Samba4 AD User - -24. In case you want to add root privileges for all accounts of an Active Directory group, edit /etc/sudoers file using visudo command and add the below line after root privileges line, as illustrated on the below screenshot: - -``` -%DOMAIN\\your_domain\ group ALL=(ALL:ALL) ALL -``` - -Pay attention to sudoers syntax so you don’t break things out. - -Sudoers file doesn’t handles very well the use of ASCII quotation marks, so make sure you use `%` to denote that you’re referring to a group and use a backslash to escape the first slash after the domain name and another backslash to escape spaces if your group name contains spaces (most of AD built-in groups contain spaces by default). Also, write the realm with uppercases. - -[ - ![Give Sudo Access to All Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/11/Give-Sudo-Access-to-All-Samba4-AD-Users.png) -][23] - -Give Sudo Access to All Samba4 AD Users - -That’s all for now! Managing Samba4 AD infrastructure can be also achieved with several tools from Windows environment, such as ADUC, DNS Manager, GPM or other, which can be obtained by installing RSAT package from Microsoft download page. - -To administer Samba4 AD DC through RSAT utilities, it’s absolutely necessary to join the Windows system into Samba4 Active Directory. This will be the subject of our next tutorial, till then stay tuned to TecMint. - ------- - -作者简介:I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting. - - --------------------------------------------------------------------------------- - -via: http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ - -作者:[Matei Cezar ][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:http://www.tecmint.com/author/cezarmatei/ -[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ -[2]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ -[3]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/ -[4]:http://www.tecmint.com/60-commands-of-linux-a-guide-from-newbies-to-system-administrator/ -[5]:http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Administration-Tool.png -[6]:http://www.tecmint.com/wp-content/uploads/2016/11/Create-User-on-Samba-AD.png -[7]:http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-AD-Users.png -[8]:http://www.tecmint.com/wp-content/uploads/2016/11/List-Samba-Domain-Members-of-Group.png -[9]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Domain-Password.png -[10]:http://www.tecmint.com/wp-content/uploads/2016/11/Manage-Samba-Domain-Password-Settings.png -[11]:http://www.tecmint.com/wp-content/uploads/2016/11/Samba-Authentication-Using-Active-Directory-Accounts.png -[12]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba-Configuration-for-Errors.png -[13]:http://www.tecmint.com/wp-content/uploads/2016/11/PAM-Configuration-for-Samba4-AD.png -[14]:http://www.tecmint.com/wp-content/uploads/2016/11/Enable-PAM-Authentication-Module-for-Samba4-AD.png -[15]:http://www.tecmint.com/wp-content/uploads/2016/11/Add-Windbind-Service-Switch-for-Samba.png -[16]:http://www.tecmint.com/wp-content/uploads/2016/11/Allow-Samba-AD-Users-to-Change-Password.png -[17]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Information-of-Samba4-AD.png -[18]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Info.png -[19]:http://www.tecmint.com/wp-content/uploads/2016/11/Get-Samba4-AD-Details.png -[20]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Samba4-AD-User-Authentication-on-Linux.png -[21]:http://www.tecmint.com/wp-content/uploads/2016/11/Change-Samba4-AD-User-Password.png -[22]:http://www.tecmint.com/wp-content/uploads/2016/11/Grant-sudo-Permission-to-Samba4-AD-User.png -[23]:http://www.tecmint.com/wp-content/uploads/2016/11/Give-Sudo-Access-to-All-Samba4-AD-Users.png -[24]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/# -[25]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/# -[26]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/# -[27]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/# -[28]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/#comments From 04cb6d6115f850e7055d0d17273a237f10f7cf50 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 13:52:14 +0800 Subject: [PATCH 084/181] =?UTF-8?q?20161229-10=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...20161216 Kprobes Event Tracing on ARMv8.md | 334 ++++++++++++++++++ 1 file changed, 334 insertions(+) create mode 100644 sources/tech/20161216 Kprobes Event Tracing on ARMv8.md diff --git a/sources/tech/20161216 Kprobes Event Tracing on ARMv8.md b/sources/tech/20161216 Kprobes Event Tracing on ARMv8.md new file mode 100644 index 0000000000..cb8ef32640 --- /dev/null +++ b/sources/tech/20161216 Kprobes Event Tracing on ARMv8.md @@ -0,0 +1,334 @@ +# Kprobes Event Tracing on ARMv8 + + + ![core-dump](http://www.linaro.org/wp-content/uploads/2016/02/core-dump.png) + +### Introduction + +Kprobes is a kernel feature that allows instrumenting the kernel by setting arbitrary breakpoints that call out to developer-supplied routines before and after the breakpointed instruction is executed (or simulated). See the kprobes documentation[[1]][2] for more information. Basic kprobes functionality is selected withCONFIG_KPROBES. Kprobes support was added to mainline for arm64 in the v4.8 release. + +In this article we describe the use of kprobes on arm64 using the debugfs event tracing interfaces from the command line to collect dynamic trace events. This feature has been available for some time on several architectures (including arm32), and is now available on arm64\. The feature allows use of kprobes without having to write any code. + +### Types of Probes + +The kprobes subsystem provides three different types of dynamic probes described below. + +### Kprobes + +The basic probe is a software breakpoint kprobes inserts in place of the instruction you are probing, saving the original instruction for eventual single-stepping (or simulation) when the probe point is hit. + +### Kretprobes + +Kretprobes is a part of kprobes that allows intercepting a returning function instead of having to set a probe (or possibly several probes) at the return points. This feature is selected whenever kprobes is selected, for supported architectures (including ARMv8). + +### Jprobes + +Jprobes allows intercepting a call into a function by supplying an intermediary function with the same calling signature, which will be called first. Jprobes is a programming interface only and cannot be used through the debugfs event tracing subsystem. As such we will not be discussing jprobes further here. Consult the kprobes documentation if you wish to use jprobes. + +### Invoking Kprobes + +Kprobes provides a set of APIs which can be called from kernel code to set up probe points and register functions to be called when probe points are hit. Kprobes is also accessible without adding code to the kernel, by writing to specific event tracing debugfs files to set the probe address and information to be recorded in the trace log when the probe is hit. The latter is the focus of what this document will be talking about. Lastly kprobes can be accessed through the perf command. + +### Kprobes API + +The kernel developer can write functions in the kernel (often done in a dedicated debug module) to set probe points and take whatever action is desired right before and right after the probed instruction is executed. This is well documented in kprobes.txt. + +### Event Tracing + +The event tracing subsystem has its own documentation[[2]][3] which might be worth a read to understand the background of event tracing in general. The event tracing subsystem serves as a foundation for both tracepoints and kprobes event tracing. The event tracing documentation focuses on tracepoints, so bear that in mind when consulting that documentation. Kprobes differs from tracepoints in that there is no predefined list of tracepoints but instead arbitrary dynamically created probe points that trigger the collection of trace event information. The event tracing subsystem is controlled and monitored through a set of debugfs files. Event tracing (CONFIG_EVENT_TRACING) will be selected automatically when needed by something like the kprobe event tracing subsystem. + +#### Kprobes Events + +With the kprobes event tracing subsystem the user can specify information to be reported at arbitrary breakpoints in the kernel, determined simply by specifying the address of any existing probeable instruction along with formatting information. When that breakpoint is encountered during execution kprobes passes the requested information to the common parts of the event tracing subsystem which formats and appends the data to the trace log, much like how tracepoints works. Kprobes uses a similar but mostly separate collection of debugfs files to control and display trace event information. This feature is selected withCONFIG_KPROBE_EVENT. The kprobetrace documentation[[3]][4] provides the essential information on how to use kprobes event tracing and should be consulted to understand details about the examples presented below. + +### Kprobes and Perf + +The perf tools provide another command line interface to kprobes. In particular “perf probe” allows probe points to be specified by source file and line number, in addition to function name plus offset, and address. The perf interface is really a wrapper for using the debugfs interface for kprobes. + +### Arm64 Kprobes + +All of the above aspects of kprobes are now implemented for arm64, in practice there are some differences from other architectures though: + +* Register name arguments are, of course, architecture specific and can be found in the ARM ARM. + +* Not all instruction types can currently be probed. Currently unprobeable instructions include mrs/msr(except DAIF read), exception generation instructions, eret, and hint (except for the nop variant). In these cases it is simplest to just probe a nearby instruction instead. These instructions are blacklisted from probing because the changes they cause to processor state are unsafe to do during kprobe single-stepping or instruction simulation, because the single-stepping context kprobes constructs is inconsistent with what the instruction needs, or because the instruction can’t tolerate the additional processing time and exception handling in kprobes (ldx/stx). +* An attempt is made to identify instructions within a ldx/stx sequence and prevent probing, however it is theoretically possible for this check to fail resulting in allowing a probed atomic sequence which can never succeed. Be careful when probing around atomic code sequences. +* Note that because of the details of Linux ARM64 calling conventions it is not possible to reliably duplicate the stack frame for the probed function and for that reason no attempt is made to do so with jprobes, unlike the majority of other architectures supporting jprobes. The reason for this is that there is insufficient information for the callee to know for certain the amount of the stack that is needed. + +* Note that the stack pointer information recorded from a probe will reflect the particular stack pointer in use at the time the probe was hit, be it the kernel stack pointer or the interrupt stack pointer. +* There is a list of kernel functions which cannot be probed, usually because they are called as part of kprobes processing. Part of this list is architecture-specific and also includes things like exception entry code. + +### Using Kprobes Event Tracing + +One common use case for kprobes is instrumenting function entry and/or exit. It is particularly easy to install probes for this since one can just use the function name for the probe address. Kprobes event tracing will look up the symbol name and determine the address. The ARMv8 calling standard defines where the function arguments and return values can be found, and these can be printed out as part of the kprobe event processing. + +### Example: Function entry probing + +Instrumenting a USB ethernet driver reset function: + +``` +_$ pwd +/sys/kernel/debug/tracing +$ cat > kprobe_events < events/kprobes/enable_ +``` + +At this point a trace event will be recorded every time the driver’s _ax8872_reset()_ function is called. The event will display the pointer to the _usbnet_ structure passed in via X0 (as per the ARMv8 calling standard) as this function’s only argument. After plugging in a USB dongle requiring this ethernet driver we see the following trace information: + +``` +_$ cat trace +# tracer: nop +# +# entries-in-buffer/entries-written: 1/1   #P:8 +# +#                           _—–=> irqs-off +#                          / _—-=> need-resched +#                         | / _—=> hardirq/softirq +#                         || / _–=> preempt-depth +#                         ||| / delay +#        TASK-PID   CPU#  |||| TIMESTAMP  FUNCTION +#           | |    |   ||||    |      | +kworker/0:0-4             [000] d… 10972.102939:   p_ax88772_reset_0: +(ax88772_reset+0x0/0x230)   arg1=0xffff800064824c80_ +``` + +Here we can see the value of the pointer argument passed in to our probed function. Since we did not use the optional labelling features of kprobes event tracing the information we requested is automatically labeled_arg1_.  Note that this refers to the first value in the list of values we requested that kprobes log for this probe, not the actual position of the argument to the function. In this case it also just happens to be the first argument to the function we’ve probed. + +### Example: Function entry and return probing + +The kretprobe feature is used specifically to probe a function return. At function entry the kprobes subsystem will be called and will set up a hook to be called at function return, where it will record the requested event information. For the most common case the return information, typically in the X0 register, is quite useful. The return value in %x0 can also be referred to as _$retval_. The following example also demonstrates how to provide a human-readable label to be displayed with the information of interest. + +Example of instrumenting the kernel __do_fork()_ function to record arguments and results using a kprobe and a kretprobe: + +``` +_$ cd /sys/kernel/debug/tracing +$ cat > kprobe_events < events/kprobes/enable_ +``` + +At this point every call to _do_fork() will produce two kprobe events recorded into the “_trace_” file, one reporting the calling argument values and one reporting the return value. The return value shall be labeled “_pid_” in the trace file. Here are the contents of the trace file after three fork syscalls have been made: + +``` +_$ cat trace +# tracer: nop +# +# entries-in-buffer/entries-written: 6/6   #P:8 +# +#                              _—–=> irqs-off +#                             / _—-=> need-resched +#                            | / _—=> hardirq/softirq +#                            || / _–=> preempt-depth +#                            ||| /     delay +#           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION +#              | |       |   ||||       |         | +              bash-1671  [001] d…   204.946007: p__do_fork_0: (_do_fork+0x0/0x3e4) arg1=0x1200011 arg2=0x0 arg3=0x0 arg4=0x0 arg5=0xffff78b690d0 arg6=0x0 +              bash-1671  [001] d..1   204.946391: r__do_fork_0: (SyS_clone+0x18/0x20 <- _do_fork) pid=0x724 +              bash-1671  [001] d…   208.845749: p__do_fork_0: (_do_fork+0x0/0x3e4) arg1=0x1200011 arg2=0x0 arg3=0x0 arg4=0x0 arg5=0xffff78b690d0 arg6=0x0 +              bash-1671  [001] d..1   208.846127: r__do_fork_0: (SyS_clone+0x18/0x20 <- _do_fork) pid=0x725 +              bash-1671  [001] d…   214.401604: p__do_fork_0: (_do_fork+0x0/0x3e4) arg1=0x1200011 arg2=0x0 arg3=0x0 arg4=0x0 arg5=0xffff78b690d0 arg6=0x0 +              bash-1671  [001] d..1   214.401975: r__do_fork_0: (SyS_clone+0x18/0x20 <- _do_fork) pid=0x726_ +``` + +### Example: Dereferencing pointer arguments + +For pointer values the kprobe event processing subsystem also allows dereferencing and printing of desired memory contents, for various base data types. It is necessary to manually calculate the offset into structures in order to display a desired field. + +Instrumenting the `_do_wait()` function: + +``` +_$ cat > kprobe_events < events/kprobes/enable_ +``` + +Note that the argument labels used in the first probe are optional and can be used to more clearly identify the information recorded in the trace log. The signed offset and parentheses indicate that the register argument is a pointer to memory contents to be recorded in the trace log. The “_:u32_” indicates that the memory location contains an unsigned four-byte wide datum (an enum and an int in a locally defined structure in this case). + +The probe labels (after the colon) are optional and will be used to identify the probe in the log. The label must be unique for each probe. If unspecified a useful label will be automatically generated from a nearby symbol name, as has been shown in earlier examples. + +Also note the “_$retval_” argument could just be specified as “_%x0_“. + +Here are the contents of the “_trace_” file after two fork syscalls have been made: + +``` +_$ cat trace +# tracer: nop +# +# entries-in-buffer/entries-written: 4/4   #P:8 +# +#                              _—–=> irqs-off +#                             / _—-=> need-resched +#                            | / _—=> hardirq/softirq +#                            || / _–=> preempt-depth +#                            ||| /     delay +#           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION +#              | |       |   ||||       |         | +             bash-1702  [001] d…   175.342074: wait_p: (do_wait+0x0/0x260) wo_type=0x3 wo_flags=0xe +             bash-1702  [002] d..1   175.347236: wait_r: (SyS_wait4+0x74/0xe4 <- do_wait) arg1=0x757 +             bash-1702  [002] d…   175.347337: wait_p: (do_wait+0x0/0x260) wo_type=0x3 wo_flags=0xf +             bash-1702  [002] d..1   175.347349: wait_r: (SyS_wait4+0x74/0xe4 <- do_wait) arg1=0xfffffffffffffff6_ +``` + +### Example: Probing arbitrary instruction addresses + +In previous examples we have inserted probes for function entry and exit, however it is possible to probe an arbitrary instruction (with a few exceptions). If we are placing a probe inside a C function the first step is to look at the assembler version of the code to identify where we want to place the probe. One way to do this is to use gdb on the vmlinux file and display the instructions in the function where you wish to place the probe. An example of doing this for the _module_alloc_ function in arch/arm64/kernel/modules.c follows. In this case, because gdb seems to prefer using the weak symbol definition and it’s associated stub code for this function, we get the symbol value from System.map instead: + +``` +_$ grep module_alloc System.map +ffff2000080951c4 T module_alloc +ffff200008297770 T kasan_module_alloc_ +``` + +In this example we’re using cross-development tools and we invoke gdb on our host system to examine the instructions comprising our function of interest: + +``` +_$ ${CROSS_COMPILE}gdb vmlinux +(gdb) x/30i 0xffff2000080951c4 +        0xffff2000080951c4 :    sub    sp, sp, #0x30 +        0xffff2000080951c8 :    adrp    x3, 0xffff200008d70000 +        0xffff2000080951cc :    add    x3, x3, #0x0 +        0xffff2000080951d0 :    mov    x5, #0x713             // #1811 +        0xffff2000080951d4 :    mov    w4, #0xc0              // #192 +        0xffff2000080951d8 : +              mov    x2, #0xfffffffff8000000    // #-134217728 +        0xffff2000080951dc :    stp    x29, x30, [sp,#16]         0xffff2000080951e0 :    add    x29, sp, #0x10 +        0xffff2000080951e4 :    movk    x5, #0xc8, lsl #48 +        0xffff2000080951e8 :    movk    w4, #0x240, lsl #16 +        0xffff2000080951ec :    str    x30, [sp]         0xffff2000080951f0 :    mov    w7, #0xffffffff        // #-1 +        0xffff2000080951f4 :    mov    x6, #0x0               // #0 +        0xffff2000080951f8 :    add    x2, x3, x2 +        0xffff2000080951fc :    mov    x1, #0x8000            // #32768 +        0xffff200008095200 :    stp    x19, x20, [sp,#32]         0xffff200008095204 :    mov    x20, x0 +        0xffff200008095208 :    bl    0xffff2000082737a8 <__vmalloc_node_range> +        0xffff20000809520c :    mov    x19, x0 +        0xffff200008095210 :    cbz    x0, 0xffff200008095234 +        0xffff200008095214 :    mov    x1, x20 +        0xffff200008095218 :    bl    0xffff200008297770 +        0xffff20000809521c :    tbnz    w0, #31, 0xffff20000809524c +        0xffff200008095220 :    mov    sp, x29 +        0xffff200008095224 :    mov    x0, x19 +        0xffff200008095228 :    ldp    x19, x20, [sp,#16]         0xffff20000809522c :    ldp    x29, x30, [sp],#32 +        0xffff200008095230 :    ret +        0xffff200008095234 :    mov    sp, x29 +        0xffff200008095238 :    mov    x19, #0x0               // #0_ +``` + +In this case we are going to display the result from the following source line in this function: + +``` +_p = __vmalloc_node_range(size, MODULE_ALIGN, VMALLOC_START, +VMALLOC_END, GFP_KERNEL, PAGE_KERNEL_EXEC, 0, +NUMA_NO_NODE, __builtin_return_address(0));_ +``` + +…and also the return value from the function call in this line: + +``` +_if (p && (kasan_module_alloc(p, size) < 0)) {_ +``` + +We can identify these in the assembler code from the call to the external functions. To display these values we will place probes at 0xffff20000809520c _and _0xffff20000809521c on our target system: + +``` +_$ cat > kprobe_events < events/kprobes/enable_ +``` + +Now after plugging an ethernet adapter dongle into the USB port we see the following written into the trace log: + +``` +_$ cat trace +# tracer: nop +# +# entries-in-buffer/entries-written: 12/12   #P:8 +# +#                           _—–=> irqs-off +#                          / _—-=> need-resched +#                         | / _—=> hardirq/softirq +#                         || / _–=> preempt-depth +#                         ||| / delay +#        TASK-PID   CPU#  |||| TIMESTAMP  FUNCTION +#           | |    |   ||||    |      | +      systemd-udevd-2082  [000] d… 77.200991: p_0xffff20000809520c: (module_alloc+0x48/0x98) arg1=0xffff200001188000 +      systemd-udevd-2082  [000] d… 77.201059: p_0xffff20000809521c: (module_alloc+0x58/0x98) arg1=0x0 +      systemd-udevd-2082  [000] d… 77.201115: p_0xffff20000809520c: (module_alloc+0x48/0x98) arg1=0xffff200001198000 +      systemd-udevd-2082  [000] d… 77.201157: p_0xffff20000809521c: (module_alloc+0x58/0x98) arg1=0x0 +      systemd-udevd-2082  [000] d… 77.227456: p_0xffff20000809520c: (module_alloc+0x48/0x98) arg1=0xffff2000011a0000 +      systemd-udevd-2082  [000] d… 77.227522: p_0xffff20000809521c: (module_alloc+0x58/0x98) arg1=0x0 +      systemd-udevd-2082  [000] d… 77.227579: p_0xffff20000809520c: (module_alloc+0x48/0x98) arg1=0xffff2000011b0000 +      systemd-udevd-2082  [000] d… 77.227635: p_0xffff20000809521c: (module_alloc+0x58/0x98) arg1=0x0 +      modprobe-2097  [002] d… 78.030643: p_0xffff20000809520c: (module_alloc+0x48/0x98) arg1=0xffff2000011b8000 +      modprobe-2097  [002] d… 78.030761: p_0xffff20000809521c: (module_alloc+0x58/0x98) arg1=0x0 +      modprobe-2097  [002] d… 78.031132: p_0xffff20000809520c: (module_alloc+0x48/0x98) arg1=0xffff200001270000 +      modprobe-2097  [002] d… 78.031187: p_0xffff20000809521c: (module_alloc+0x58/0x98) arg1=0x0_ +``` + +One more feature of the kprobes event system is recording of statistics information, which can be found inkprobe_profile.  After the above trace the contents of that file are: + +``` +_$ cat kprobe_profile + p_0xffff20000809520c                                    6            0 +p_0xffff20000809521c                                    6            0_ +``` + +This indicates that there have been a total of 8 hits each of the two breakpoints we set, which of course is consistent with the trace log data.  More kprobe_profile features are described in the kprobetrace documentation. + +There is also the ability to further filter kprobes events.  The debugfs files used to control this are listed in the kprobetrace documentation while the details of their contents are (mostly) described in the trace events documentation. + +### Conclusion + +Linux on ARMv8 now is on parity with other architectures supporting the kprobes feature. Work is being done by others to also add uprobes and systemtap support. These features/tools and other already completed features (e.g.: perf, coresight) allow the Linux ARMv8 user to debug and test performance as they would on other, older architectures. + +* * * + +Bibliography + +[[1]][5] Jim Keniston, Prasanna S. Panchamukhi, Masami Hiramatsu. “Kernel Probes (Kprobes).” _GitHub_. GitHub, Inc., 15 Aug. 2016\. Web. 13 Dec. 2016. + +[[2]][6] Ts’o, Theodore, Li Zefan, and Tom Zanussi. “Event Tracing.” _GitHub_. GitHub, Inc., 3 Mar. 2016\. Web. 13 Dec. 2016. + +[[3]][7] Hiramatsu, Masami. “Kprobe-based Event Tracing.” _GitHub_. GitHub, Inc., 18 Aug. 2016\. Web. 13 Dec. 2016. + + +---------------- + +作者简介 : [David Long][8]David works as an engineer in the Linaro Kernel - Core Development team. Before coming to Linaro he spent several years in the commercial and defense industries doing both embedded realtime work, and software development tools for Unix. That was followed by a dozen years at Digital (aka Compaq) doing Unix standards, C compiler, and runtime library work. After that David went to a series of startups doing embedded Linux and Android, embedded custom OS's, and Xen virtualization. He has experience with MIPS, Alpha, and ARM platforms (amongst others). He has used most flavors of Unix starting in 1979 with Bell Labs V6, and has been a long-time Linux user and advocate. He has also occasionally been known to debug a device driver with a soldering iron and digital oscilloscope. + +-------------------------------------------------------------------------------- + +via: http://www.linaro.org/blog/kprobes-event-tracing-armv8/ + +作者:[ David Long][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.linaro.org/author/david-long/ +[1]:http://www.linaro.org/blog/kprobes-event-tracing-armv8/# +[2]:https://github.com/torvalds/linux/blob/master/Documentation/kprobes.txt +[3]:https://github.com/torvalds/linux/blob/master/Documentation/trace/events.txt +[4]:https://github.com/torvalds/linux/blob/master/Documentation/trace/kprobetrace.txt +[5]:https://github.com/torvalds/linux/blob/master/Documentation/kprobes.txt +[6]:https://github.com/torvalds/linux/blob/master/Documentation/trace/events.txt +[7]:https://github.com/torvalds/linux/blob/master/Documentation/trace/kprobetrace.txt +[8]:http://www.linaro.org/author/david-long/ +[9]:http://www.linaro.org/blog/kprobes-event-tracing-armv8/#comments +[10]:http://www.linaro.org/blog/kprobes-event-tracing-armv8/# +[11]:http://www.linaro.org/tag/arm64/ +[12]:http://www.linaro.org/tag/armv8/ +[13]:http://www.linaro.org/tag/jprobes/ +[14]:http://www.linaro.org/tag/kernel/ +[15]:http://www.linaro.org/tag/kprobes/ +[16]:http://www.linaro.org/tag/kretprobes/ +[17]:http://www.linaro.org/tag/perf/ +[18]:http://www.linaro.org/tag/tracing/ From 81c14b40046471ff7900f99ffdd169e3b61fbd49 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 13:58:24 +0800 Subject: [PATCH 085/181] translated --- ... Email Server on Ubuntu Linux - Part 2.md} | 2 +- ...n Email Server on Ubuntu Linux - Part 3.md | 53 +++++++++---------- 2 files changed, 27 insertions(+), 28 deletions(-) rename translated/tech/{Building an Email Server on Ubuntu Linux - Part 2.md => 20161215 Building an Email Server on Ubuntu Linux - Part 2.md} (99%) rename {sources => translated}/tech/20161215 Building an Email Server on Ubuntu Linux - Part 3.md (54%) diff --git a/translated/tech/Building an Email Server on Ubuntu Linux - Part 2.md b/translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 2.md similarity index 99% rename from translated/tech/Building an Email Server on Ubuntu Linux - Part 2.md rename to translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 2.md index 62f0d8207b..7dc77cbec5 100644 --- a/translated/tech/Building an Email Server on Ubuntu Linux - Part 2.md +++ b/translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 2.md @@ -1,4 +1,4 @@ -在Ubuntu上构建一台Email服务器(二) +在Ubuntu上搭建一台Email服务器(二) ============================================================ ### [dovecot-email.jpg][4] diff --git a/sources/tech/20161215 Building an Email Server on Ubuntu Linux - Part 3.md b/translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 3.md similarity index 54% rename from sources/tech/20161215 Building an Email Server on Ubuntu Linux - Part 3.md rename to translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 3.md index 0c7858a8b0..e743c1b86b 100644 --- a/sources/tech/20161215 Building an Email Server on Ubuntu Linux - Part 3.md +++ b/translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 3.md @@ -1,24 +1,23 @@ -translating---geekpi - -Building an Email Server on Ubuntu Linux, Part 3 +在Ubuntu上搭建一台Email服务器(四) ============================================================ ### [mail-server.jpg][2] ![Mail server](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/mail-server.jpg?itok=Ox1SCDsV "Mail server") -In the final part of this tutorial series, we go into detail on how to set up virtual users and mailboxes in Dovecot and Postfix.[Creative Commons Zero][1]pixabay +本系列的第四部分我们将详细介绍在Dovecot和Postfix中设置虚拟用户。以[Creative Commons Zero][2]Pixabay方式授权发布 -Welcome back, me hearty Linux syadmins! In [part 1][3] and [part 2][4] of this series, we learned to how to put Postfix and Dovecot together to make a nice IMAP and POP3 mail server. Now we will learn to make virtual users so that we can manage all of our users in Dovecot. +欢迎回来,我热心的Linux系统管理员们! 在本系列的[第一部分][3]和[第二部分][4]中,我们学习了如何将Postfix和Dovecot组合在一起,搭建一个不错的IMAP和POP3邮件服务器。 现在我们将学习设置虚拟用户,以便我们可以管理所有在Dovecot中的用户。 -### Sorry, No SSL. Yet. +### 抱歉还不能配置SSL -I know I promised to show you how to set up a proper SSL-protected server. Unfortunately, I underestimated how large that topic is. So, I will realio trulio write a comprehensive how-to by next month. +我知道我答应教你们如何设置一个正确的受SSL保护的服务器。 不幸的是,我低估了这个话题的范围。 所以,我会下个月再写一个全面的教程。 -For today, in this final part of this series, we'll go into detail on how to set up virtual users and mailboxes in Dovecot and Postfix. It's a bit weird to wrap your mind around, so the following examples are as simple as I can make them. We'll use plain flat files and plain-text authentication. You have the options of using database back ends and nice strong forms of encrypted authentication; see the links at the end for more information on these. +对于今天,在本系列的最后一部分中,我们将详细介绍如何在Dovecot和Postfix中设置虚拟用户和邮箱。 在你看来这是有点奇怪,所以我尽量让下面的例子是简单点。我们将使用纯文件和纯文本来进行身份验证。 你也可以选择使用数据库后端和很好的加密认证形式,具体请参阅文末链接了解有关这些的更多信息。 -### Virtual Users +### 虚拟用户 You want virtual users on your email server and not Linux system users. Using Linux system users does not scale, and it exposes their logins, and your Linux server, to unnecessary risk. Setting up virtual users requires editing configuration files in both Postfix and Dovecot. We'll start with Postfix. First, we'll start with a clean, simplified `/etc/postfix/main.cf`. Move your original `main.cf` out of the way and create a new clean one with these contents: +你希望电子邮件服务器上的是虚拟用户而不是Linux系统用户。使用Linux系统用户不能扩展,并且它们会暴露登录账号以及会给你的服务器带来不必要的风险。 设置虚拟用户需要在Postfix和Dovecot中编辑配置文件。我们将从Postfix开始。首先,我们将从一个干净、简单的`/etc /postfix/main.cf`开始。移动你原始的`main.cf`到别处,创建一个新的干净的文件: ``` @@ -45,9 +44,9 @@ virtual_gid_maps = static:5000 virtual_transport = lmtp:unix:private/dovecot-lmtp0 ``` -You may copy this exactly, except for the `192.168.0.0/24` parameter for `mynetworks`, as this should reflect your own local subnet. +你或许可以直接拷贝这份文件除了`mynetworks`的参数`192.168.0.0/24`,它反映了你的本地子网掩码。 -Next, create the user and group `vmail`, which will own your virtual mailboxes. The virtual mailboxes are stored in `vmail's` home directory. +接下来,创建用户和组`vmail`,它会拥有你的虚拟邮箱。虚拟邮箱存在 `vmail`的家目录下。 ``` @@ -55,7 +54,7 @@ $ sudo groupadd -g 5000 vmail $ sudo useradd -m -u 5000 -g 5000 -s /bin/bash vmail ``` -Then reload the Postfix configurations: +接下来重新加载Postfix配置: ``` @@ -64,16 +63,16 @@ $ sudo postfix reload postfix/postfix-script: refreshing the Postfix mail system ``` -### Dovecot Virtual Users +### Dovecot虚拟用户 -We'll use Dovecot's `lmtp` protocol to connect it to Postfix. You probably need to install it: +我们会使用Dovecot的`lmtp`协议来连接到Postfix。你可以这样安装: ``` $ sudo apt-get install dovecot-lmtpd ``` -The last line in our example `main.cf` references `lmtp`. Copy this example `/etc/dovecot/dovecot.conf`, replacing your existing file. Again, we are using just this single file, rather than calling the files in `/etc/dovecot/conf.d`. +`main.cf`的最后一行参考`lmtp`。复制这个例子`/etc/dovecot/dovecot.conf`来替换已存在的文件。再说一次,我们只使用这个文件,而不是`/etc/dovecot/conf.d`内的所有文件。 ``` @@ -113,7 +112,7 @@ service lmtp { } ``` -At last, you can create the file that holds your users and passwords, `/etc/dovecot/passwd`. For simple plain text authorization we need only our users' full email addresses and passwords: +最后,你快可以创建一个含有用户和密码的文件 `/etc/dovecot/passwd`。对于纯文本验证,我们只需要用户的完整邮箱地址和密码: ``` @@ -124,7 +123,7 @@ molly@studio:{PLAIN}password benny@studio:{PLAIN}password ``` -The Dovecot virtual users are independent of the Postfix virtual users, so you will manage your users in Dovecot. Save all of your changes and restart Postfix and Dovecot: +Dovecot虚拟用户独立于Postfix虚拟用户,因此你需要管理Dovecot中的用户。保存所有的设置并重启Postfix和Dovecot: ``` @@ -132,7 +131,7 @@ $ sudo service postfix restart $ sudo service dovecot restart ``` -Now let's use good old telnet to see if Dovecot is set up correctly. +现在让我们使用较旧的telnet来看下Dovecot是否设置正确了。 ``` @@ -150,7 +149,7 @@ quit Connection closed by foreign host. ``` -So far so good! Now let's send some test messages to our users with the `mail` command. Make sure to use the whole user's email address and not just the username. +现在一切都好!让我们用`mail`测试发送消息给我们的用户。确保使用用户的电子邮箱地址而不只是用户名。 ``` @@ -160,7 +159,7 @@ Please enjoy your new mail account! . ``` -The period on the last line sends your message. Let's see if it landed in the correct mailbox. +最后一行的点是发送消息。让我们看下它是否到达了正确的邮箱。 ``` @@ -171,7 +170,7 @@ drwx------ 5 vmail vmail 4096 Dec 14 12:39 .. -rw------- 1 vmail vmail 525 Dec 14 12:39 1481747995.M696591P5790.studio,S=525,W=540 ``` -And there it is. It is a plain text file that we can read: +找到了。这是一封我们可以阅读的纯文本文件: ``` $ less 1481747995.M696591P5790.studio,S=525,W=540 @@ -192,22 +191,22 @@ From: carla@localhost (carla) Please enjoy your new mail account! ``` -You could also use telnet for testing, as in the previous segments of this series, and set up accounts in your favorite mail client, such as Thunderbird, Claws-Mail, or KMail. +你还可以使用telnet进行测试,如本系列前面部分所述,并在你最喜欢的邮件客户端中设置帐户,如Thunderbird,Claws-Mail或KMail。 -### Troubleshooting +### 故障排查 -When things don't work, check your logfiles (see the configuration examples), and run `journalctl -xe`. This should give you all the information you need to spot typos, uninstalled packages, and nice search terms for Google. +当它不工作时,请检查日志文件(请参阅配置示例),然后运行`journalctl -xe`。 这时应该就会给你提供输入错误、已卸载的包和可以谷歌的字词了。 -### What Next? +### 接下来? -Assuming your LAN name services are correctly configured, you now have a nice usable LAN mail server. Obviously, sending messages in plain text is not optimal, and an absolute no-no for Internet mail. See [Dovecot SSL configuration][5] and [Postfix TLS Support][6]. [VirtualUserFlatFilesPostfix][7] covers TLS and database back ends. And watch for my upcoming SSL how-to. Really. +假设你的LAN名称服务配置正确,你现在有一台很好用的LAN邮件服务器。 显然以纯文本发送消息不是最佳的,并且对于Internet邮件也是绝对否定的。 请参阅[Dovecot SSL配置][5]和[Postfix TLS支持][6]。 [VirtualUserFlatFilesPostfix][7]涵盖TLS和数据库后端。并记得看即将到来的SSL指南。这次我说的是真的。 -------------------------------------------------------------------------------- via: https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-part-3 作者:[ CARLA SCHRODER][a] -译者:[译者ID](https://github.com/译者ID) +译者:[geekpi](https://github.com/geekpi) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From 661465f12d2e33fc4d8ed680e027f39fa1dea580 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 14:04:35 +0800 Subject: [PATCH 086/181] translating --- sources/tech/20161201 How to Configure a Firewall with UFW.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161201 How to Configure a Firewall with UFW.md b/sources/tech/20161201 How to Configure a Firewall with UFW.md index 91d8362e7d..045f52dcd3 100644 --- a/sources/tech/20161201 How to Configure a Firewall with UFW.md +++ b/sources/tech/20161201 How to Configure a Firewall with UFW.md @@ -1,3 +1,5 @@ +translating---geekpi + How to Configure a Firewall with UFW ============================================================ From df202f4bfd55a828d64ea46ffa59f48af850119a Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 14:21:06 +0800 Subject: [PATCH 087/181] =?UTF-8?q?20161229-11=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...cent or Today’s Modified Files in Linux.md | 118 ++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md diff --git a/sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md b/sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md new file mode 100644 index 0000000000..5a3990ba62 --- /dev/null +++ b/sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md @@ -0,0 +1,118 @@ +How to Find Recent or Today’s Modified Files in Linux +============================================================ + +In this article, we will explain two, simple [command line tips][5] that enable you to only list all today’s files. + +One of the common problems Linux users encounter on the command line is [locating files with a particular name][6], it can be much easier when you actually know the filename. + +However, assuming that you have forgotten the name of a file that you created (in your `home` folder which contains hundreds of files) at an earlier time during the day and yet you need to use urgently. + +Below are different ways of only [listing all files that you created or modified][7] (directly or indirectly) today. + +1. Using the [ls command][8], you can only list today’s files in your home folder as follows, where: + +1. `-a` – list all files including hidden files +2. `-l` – enables long listing format +3. `--time-style=FORMAT` – shows time in the specified FORMAT +4. `+%D` – show/use date in %m/%d/%y format + +``` +# ls -al --time-style=+%D | grep 'date +%D' +``` +[ + ![Find Recent Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Recent-Files-in-Linux.png) +][9] + +Find Recent Files in Linux + +In addition, you can [sort the resultant list alphabetically][10] by including the `-X` flag: + +``` +# ls -alX --time-style=+%D | grep 'date +%D' +``` + +You can also list based on size (largest first) using the `-S` flag: + +``` +# ls -alS --time-style=+%D | grep 'date +%D' +``` + +2. Again, it is possible to use the [find command][11] which is practically more flexible and offers plenty of options than ls, for the same purpose as below. + +1. `-maxdepth` level is used to specify the level (in terms of sub-directories) below the starting point (current directory in this case) to which the search operation will be carried out. +2. `-newerXY`, this works if timestamp X of the file in question is newer than timestamp Y of the file reference. X and Y represent any of the letters below: + 1. a – access time of the file reference + 2. B – birth time of the file reference + 3. c – inode status change time of reference + 4. m – modification time of the file reference + 5. t – reference is interpreted directly as a time + +This means that, only files modified on 2016-12-06 will be considered: + +``` +# find . -maxdepth 1 -newermt "2016-12-06" +``` +[ + ![Find Today's Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Files-in-Linux.png) +][12] + +Find Today’s Files in Linux + +Important: Use the correct date format as reference in the [find command][13] above, once you use a wrong format, you will get an error as the one below: + +``` +# find . -maxdepth 1 -newermt "12-06-2016" +find: I cannot figure out how to interpret '12-06-2016' as a date or time +``` + +Alternatively, use the correct formats below: + +``` +# find . -maxdepth 1 -newermt "12/06/2016" +OR +# find . -maxdepth 1 -newermt "12/06/16" +``` +[ + ![Find Todays Modified Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Modified-Files.png) +][14] + +Find Todays Modified Files in Linux + +You can get more usage information for `ls` and `find` commands in our following series of articles on same. + +1. [Master Linux ‘ls’ Command with This 15 Examples][1] +2. [Useful 7 Quirky ‘ls’ Tricks for Linux Users][2] +3. [Master Linux ‘find’ Command with This 35 Examples][3] +4. [Ways to Find Multiple Filenames with Extensions in Linux][4] + +In this article, we explained two important tips of how to list only today’s files with the help of ls and find commands. Make use of the feedback form below to send us any question(s) or comments about the topic. You can as well inform us of any commands used for the same goal. + +-------------------------------------------------------------------------------- + +作者简介:Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge. + +------------------ + +via: http://www.tecmint.com/find-recent-modified-files-in-linux/ + +作者:[ Aaron Kili][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/aaronkili/ +[1]:http://www.tecmint.com/15-basic-ls-command-examples-in-linux/ +[2]:http://www.tecmint.com/linux-ls-command-tricks/ +[3]:http://www.tecmint.com/35-practical-examples-of-linux-find-command/ +[4]:http://www.tecmint.com/linux-find-command-to-search-multiple-filenames-extensions/ +[5]:http://www.tecmint.com/tag/linux-tricks/ +[6]:http://www.tecmint.com/linux-find-command-to-search-multiple-filenames-extensions/ +[7]:http://www.tecmint.com/sort-ls-output-by-last-modified-date-and-time/ +[8]:http://www.tecmint.com/tag/linux-ls-command/ +[9]:http://www.tecmint.com/wp-content/uploads/2016/12/Find-Recent-Files-in-Linux.png +[10]:http://www.tecmint.com/sort-command-linux/ +[11]:http://www.tecmint.com/35-practical-examples-of-linux-find-command/ +[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Files-in-Linux.png +[13]:http://www.tecmint.com/find-directory-in-linux/ +[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Modified-Files.png From f577caf3d0565697de05173eb11a3ae380653010 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 14:22:39 +0800 Subject: [PATCH 088/181] =?UTF-8?q?20161229-12=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ne Server to Different Server in Apache.md | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md diff --git a/sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md b/sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md new file mode 100644 index 0000000000..4e7f0fae56 --- /dev/null +++ b/sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md @@ -0,0 +1,63 @@ +Redirect a Website URL from One Server to Different Server in Apache +============================================================ + +As promised in our previous two articles ([Perform Internal Redirection with mod_rewrite][1] and [Show Custom Content Based on Browser][2]), in this post we will explain how to perform a redirection to a resource that has been moved from one server to a different server in Apache using mod_rewrite module. + +Suppose you are redesigning your company’s Intranet site. You have decided to store the content and styling (HTML files, JavaScript, and CSS) on one server and the documentation on another – perhaps a more robust one. + +**Suggested Read:** [5 Tips to Boost the Performance of Your Apache Web Server][3] + +However, you want this change to be transparent to your users so that they are still able to access the docs at the usual URL. + +In the following example, a file named `assets.pdf` has been moved from /var/www/html in 192.168.0.100(hostname: web) to the same location in 192.168.0.101 (hostname: web2). + +In order for users to access this file when they browse to `192.168.0.100/assets.pdf`, open Apache’s configuration file on 192.168.0.100 and add the following rewrite rule (or you can also add the following rule to your [.htaccess file][4]): + +``` +RewriteRule "^(/assets\.pdf$)" "http://192.168.0.101$1" [R,L] +``` + +where `$1` is a placeholder for anything that matches the regular expression inside parentheses. + +Now save changes, don’t forget to restart Apache, and let’s see what happens when we attempt to access assets.pdf by browsing to 192.168.0.100/assets.pdf: + +**Suggested Read:** [25 Useful ‘.htaccess’ Tricks for Websites][5] + +In the above below we can see that the request that was made for assets.pdf on 192.168.0.100 was actually handled by 192.168.0.101. + +``` +# tail -n 1 /var/log/apache2/access.log +``` +[ + ![Check Apache Logs](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Apache-Logs.png) +][6] + +Check Apache Logs + +In this article we have discussed how to perform a redirection to a resource that has been moved to a different server. To wrap up, I’d strongly suggest you take a look at the [mod_rewrite][7] guide and [Apache redirect guide][8] for future reference. + +As always, feel free to use the comment form below if you have any concerns about this article. We look forward to hearing from you! + +-------------------------------------------------------------------------------- + +作者简介:Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work. + +----------- + +via: http://www.tecmint.com/redirect-website-url-from-one-server-to-different-server/ + +作者:[Gabriel Cánepa][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/gacanepa/ +[1]:http://www.tecmint.com/redirection-with-mod_rewrite-in-apache/ +[2]:http://www.tecmint.com/mod_rewrite-redirect-requests-based-on-browser/ +[3]:http://www.tecmint.com/apache-performance-tuning/ +[4]:http://www.tecmint.com/tag/htaccess/ +[5]:http://www.tecmint.com/apache-htaccess-tricks/ +[6]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Apache-Logs.png +[7]:http://mod-rewrite-cheatsheet.com/ +[8]:https://httpd.apache.org/docs/2.4/rewrite/remapping.html From 3f2414f2e9b8ad96a5a4da3f6d731c8fa08afbf7 Mon Sep 17 00:00:00 2001 From: Ezio Date: Thu, 29 Dec 2016 14:25:14 +0800 Subject: [PATCH 089/181] =?UTF-8?q?20161229-13=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ... Login – Never Use on Production Server.md | 158 ++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md diff --git a/sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md b/sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md new file mode 100644 index 0000000000..ea19bdb0bf --- /dev/null +++ b/sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md @@ -0,0 +1,158 @@ +sshpass: An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server +============================================================ + +In most cases, Linux system administrators login to remote Linux servers using SSH either by supplying a password, or [passwordless SSH login][1], or keybased SSH authentication. + +What if you want to supply a password along with username to SSH prompt itself? this is where sshpass comes to rescue. + +sshpass is a simple and lightweight command line tool that enables us to provide password (non-interactive password authentication) to the command prompt itself, so that automated shell scripts can be executed to take backups via [cron scheduler][2]. + +ssh uses straight TTY access to make sure that the password is actually supplied by an interactive keyboard user. Sshpass runs ssh in a devoted tty, mislead it into believing that it is receiving the password from an interactive user. + +Important: Using sshpass considered to be least secure, as it reveals the password to all system users on the command line with simple “ps” command. I highly recommend using [SSH Passwordless authentication][3]. + +### Install sshpass on Linux Systems + +In RedHat/CentOS based systems, first you need to [enable Epel repository][4] on your system to install it using [yum command][5] as shown. + +``` +# yum install sshpass +# dnf install sshpass [On Fedora 22+ versions] +``` + +On Debian/Ubuntu and its derivatives, you can install it using [apt-get command][6] as shown. + +``` +$ sudo apt-get install sshpass +``` + +Alternatively, you can install from source to have latest version of sshpass, first download the source code and then extract contents of the tar file and install it like so: + +``` +$ wget http://sourceforge.net/projects/sshpass/files/latest/download -O sshpass.tar.gz +$ tar -xvf sshpass.tar.gz +$ cd sshpass-1.06 +$ ./configure +# sudo make install +``` + +### How to Use sshpass in Linux + +sshpass is used together with ssh, you can view all the sshpass usage options with full descriptions by issuing the command below: + +``` +$ sshpass -h +``` +sshpass Help +``` +Usage: sshpass [-f|-d|-p|-e] [-hV] command parameters +-f filename Take password to use from file +-d number Use number as file descriptor for getting password +-p password Provide password as argument (security unwise) +-e Password is passed as env-var "SSHPASS" +With no parameters - password will be taken from stdin +-h Show help (this screen) +-V Print version information +At most one of -f, -d, -p or -e should be used +``` + +As I mentioned before, sshpass is more reliable and useful for scripting purposes, consider the example commands below. + +Login to remote Linux ssh server (10.42.0.1) with the username and password and [check the file-system disk usage][7] of remote system as shown. + +``` +$ sshpass -p 'my_pass_here' ssh aaronkilik@10.42.0.1 'df -h' +``` + +Important: Here, the password is provided on the command line which is practically unsecure and using this option is not recommended. + +[ + ![sshpass - Linux Remote Login via SSH](http://www.tecmint.com/wp-content/uploads/2016/12/sshpass-Linux-Remote-Login.png) +][8] + +sshpass – Linux Remote Login via SSH + +However, to prevent showing password on the screen, you can use the `-e` flag and enter the password as a value of the SSHPASS environment variable as below: + +``` +$ export SSHPASS='my_pass_here' +$ echo $SSHPASS +$ sshpass -e ssh aaronkilik@10.42.0.1 'df -h' +``` +[ + ![sshpass - Hide Password in Prompt](http://www.tecmint.com/wp-content/uploads/2016/12/sshpass-Hide-Password-in-Prompt.png) +][9] + +sshpass – Hide Password in Prompt + +Note: In the example above, SSHPASS environment variable is for temporary purpose only and will be removed during reboot. + +To permanently set the SSHPASS environment variable, open the /etc/profile file and type the export statement at the beginning of the file: + +``` +export SSHPASS='my_pass_here' +``` + +Save the file and exit, then run the command below to effect the changes: + +``` +$ source /etc/profile +``` + +On the other hand, you can also use the `-f` flag and put the password in a file. This way, you can read the password from the file as follows: + +``` +$ sshpass -f password_filename ssh aaronkilik@10.42.0.1 'df -h' +``` +[ + ![sshpass - Supply Password File to Login](http://www.tecmint.com/wp-content/uploads/2016/12/sshpass-Provide-Password-File.png) +][10] + +sshpass – Supply Password File to Login + +You can also use sshpass to [transfer files using scp][11] or [backup/sync files over rsync][12] using SSH as shown: + +``` +------- Transfer Files Using SCP ------- +$ scp -r /var/www/html/example.com --rsh="sshpass -p 'my_pass_here' ssh -l aaronkilik" 10.42.0.1:/var/www/html +------- Backup or Sync Files Using Rsync ------- +$ rsync --rsh="sshpass -p 'my_pass_here' ssh -l aaronkilik" 10.42.0.1:/data/backup/ /backup/ +``` + +For more usage, I suggest you to read through the sshpass man page, type: + +``` +$ man sshpass +``` + +In this article, we explained sshpass a simple tool that enables non-interactive password authentication. Although, this tools may be helpful, it is highly recommended to use ssh’s more secure public key authentication mechanism. + +Please, do leave a question or comment via the feedback section below for any further discussions. + +-------------------------------------------------------------------------------- + +作者简介:Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge. + +----------- + +via: http://www.tecmint.com/sshpass-non-interactive-ssh-login-shell-script-ssh-password/ + +作者:[Aaron Kili][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/aaronkili/ +[1]:http://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/ +[2]:http://www.tecmint.com/11-cron-scheduling-task-examples-in-linux/ +[3]:http://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/ +[4]:http://www.tecmint.com/how-to-enable-epel-repository-for-rhel-centos-6-5/ +[5]:http://www.tecmint.com/20-linux-yum-yellowdog-updater-modified-commands-for-package-mangement/ +[6]:http://www.tecmint.com/useful-basic-commands-of-apt-get-and-apt-cache-for-package-management/ +[7]:http://www.tecmint.com/how-to-check-disk-space-in-linux/ +[8]:http://www.tecmint.com/wp-content/uploads/2016/12/sshpass-Linux-Remote-Login.png +[9]:http://www.tecmint.com/wp-content/uploads/2016/12/sshpass-Hide-Password-in-Prompt.png +[10]:http://www.tecmint.com/wp-content/uploads/2016/12/sshpass-Provide-Password-File.png +[11]:http://www.tecmint.com/scp-commands-examples/ +[12]:http://www.tecmint.com/rsync-local-remote-file-synchronization-commands/ From 30786f6da562b31f0b13e9ec81bada1cf25ca9e9 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 15:00:43 +0800 Subject: [PATCH 090/181] translating --- ...01 How to Configure a Firewall with UFW.md | 254 ------------------ ...01 How to Configure a Firewall with UFW.md | 251 +++++++++++++++++ 2 files changed, 251 insertions(+), 254 deletions(-) delete mode 100644 sources/tech/20161201 How to Configure a Firewall with UFW.md create mode 100644 translated/tech/20161201 How to Configure a Firewall with UFW.md diff --git a/sources/tech/20161201 How to Configure a Firewall with UFW.md b/sources/tech/20161201 How to Configure a Firewall with UFW.md deleted file mode 100644 index 045f52dcd3..0000000000 --- a/sources/tech/20161201 How to Configure a Firewall with UFW.md +++ /dev/null @@ -1,254 +0,0 @@ -translating---geekpi - -How to Configure a Firewall with UFW -============================================================ - -UFW, or _uncomplicated firewall_, is a frontend for managing firewall rules Arch Linux, Debian or Ubuntu. UFW is used through the command line (although it has GUIs available), and aims to make firewall configuration easy (or, uncomplicated). - - ![How to Configure a Firewall with UFW](https://www.linode.com/docs/assets/ufw_tg.png "How to Configure a Firewall with UFW") - -### Before You Begin - -1. Familiarize yourself with our [Getting Started][1] guide and complete the steps for setting your Linode’s hostname and timezone. - -2. This guide will use `sudo` wherever possible. Complete the sections of our [Securing Your Server][2]guide to create a standard user account, harden SSH access and remove unnecessary network services. Do **not** follow the Creating a Firewall section–this guide is an introduction to using UFW, which is a separate method of controlling a firewall than iptables commands. - -3. Update your system. - - **Arch Linux** - - ``` - sudo pacman -Syu - ``` - - - **Debian / Ubuntu** - - ``` - sudo apt-get update && sudo apt-get upgrade - ``` - - -### Install UFW - -UFW is included in Ubuntu by default but must be installed in Arch and Debian. Debian will start UFW’s systemd unit automatically and enable it to start on reboots, but Arch will not. _This is not the same as telling UFW to enable the firewall rules_, as enabling UFW with systemd or upstart only tells the init system to switch on the UFW daemon. - -By default, UFW’s rulesets are blank so it is not enforcing any firewall rules–even when the daemon is running. Enforcing your firewall ruleset is covered [further down the page][3]. - -### Arch Linux - -1. Install UFW: - - ``` - sudo pacman -S ufw - ``` - - -2. Start and enable UFW’s systemd unit: - - ``` - sudo systemctl start ufw - sudo systemctl enable ufw - ``` - -### Debian / Ubuntu - -1. Install UFW - - ``` - sudo apt-get install ufw - ``` - - -### Use UFW to Manage Firewall Rules - -### Set Default Rules - -Most systems will need a only a small number of ports open for incoming connections, and all remaining ports closed. To start with an easy basis of rules, the `ufw default` command can be used to set the default response to incoming and outgoing connections. To deny all incoming and allow all outgoing connections, run: - -``` -sudo ufw default allow outgoing -sudo ufw default deny incoming -``` - - -The `ufw default` command also allows for the use of the `reject` parameter. - -> Configuring a default reject or deny rule can lock you out of your Linode unless explicit allow rules are in place. Ensure that you have configured allow rules for SSH and other critical services as per the section below before applying default deny or reject rules. - -### Add Rules - -Rules can be added in two ways: By denoting the **port number** or by using the **service name**. - -For example, to allow both incoming and outgoing connections on port 22 for SSH, you can run: - -``` -sudo ufw allow ssh -``` - -You can also run: - -``` -sudo ufw allow 22 -``` - -Similarly, to **deny** traffic on a certain port (in this example, 111) you would only have to run: - -``` -sudo ufw deny 111 -``` - -To farther fine-tune your rules, you can also allow packets based on TCP or UDP. The following will allow TCP packets on port 80: - - -``` -sudo ufw allow 80/tcp -sudo ufw allow http/tcp -``` - -Whereas this will allow UDP packets on 1725: - - -``` -sudo ufw allow 1725/udp -``` - - -### Advanced Rules - -Along with allowing or denying based solely on port, UFW also allows you to allow/block by IP addresses, subnets, and a IP address/subnet/port combinations. - -To allow connections from an IP address: - -``` -sudo ufw allow from 123.45.67.89 -``` - - -To allow connections from a specific subnet: - -``` -sudo ufw allow from 123.45.67.89/24 -``` - -To allow a specific IP address/port combination: - -``` -sudo ufw allow from 123.45.67.89 to any port 22 proto tcp -``` - - -`proto tcp` can be removed or switched to `proto udp` depending upon your needs, and all instances of `allow` can be changed to `deny` as needed. - -### Remove Rules - -To remove a rule, add `delete` before the rule implementation. If you no longer wished to allow HTTP traffic, you could run: - - -``` -sudo ufw delete allow 80 -``` - -Deleting also allows the use of service names. - -### Edit UFW’s Configuration Files - -Although simple rules can be added through the command line, there may be a time when more advanced or specific rules need to be added or removed. Prior to running the rules input through the terminal, UFW will run a file, `before.rules`, that allows loopback, ping, and DHCP. To add to alter these rules edit the `/etc/ufw/before.rules` file. A `before6.rules` file is also located in the same directory for IPv6. - -An `after.rule` and an `after6.rule` file also exists to add any rules that would need to be added after UFW runs your command-line-added rules. - -An additional configuration file is located at `/etc/default/ufw`. From here IPv6 can be disabled or enabled, default rules can be set, and UFW can be set to manage built-in firewall chains. - -### UFW Status - -You can check the status of UFW at any time with the command: `sudo ufw status`. This will show a list of all rules, and whether or not UFW is active: - -``` -Status: active - -To Action From --- ------ ---- -22 ALLOW Anywhere -80/tcp ALLOW Anywhere -443 ALLOW Anywhere -22 (v6) ALLOW Anywhere (v6) -80/tcp (v6) ALLOW Anywhere (v6) -443 (v6) ALLOW Anywhere (v6) -``` - -### Enable the Firewall - -With your chosen rules in place, your initial run of `ufw status` will probably output `Status: inactive`. To enable UFW and enforce your firewall rules: - -``` -sudo ufw enable -``` - -Similarly, to disable UFW’s rules: - - -``` -sudo ufw disable -``` - -> This still leaves the UFW service running and enabled on reboots. - -### Logging - -You can enable logging with the command: - -``` -sudo ufw logging on -``` - -Log levels can be set by running `sudo ufw logging low|medium|high`, selecting either `low`, `medium`, or `high` from the list. The default setting is `low`. - -A normal log entry will resemble the following, and will be located at `/var/logs/ufw`: - -``` -Sep 16 15:08:14 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=123.45.67.89 DST=987.65.43.21 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=8475 PROTO=TCP SPT=48247 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0 -``` - - -The initial values list the date, time, and hostname of your Linode. Additional important values include: - -* **[UFW BLOCK]:** This location is where the description of the logged event will be located. In this instance, it blocked a connection. - -* **IN:** If this contains a value, then the event was incoming - -* **OUT:** If this contain a value, then the event was outgoing - -* **MAC:** A combination of the destination and source MAC addresses - -* **SRC:** The IP of the packet source - -* **DST:** The IP of the packet destination - -* **LEN:** Packet length - -* **TTL:** The packet TTL, or _time to live_. How long it will bounce between routers until it expires, if no destination is found. - -* **PROTO:** The packet’s protocal - -* **SPT:** The source port of the package - -* **DPT:** The destination port of the package - -* **WINDOW:** The size of the packet the sender can receive - -* **SYN URGP:** Indicated if a three-way handshake is required. `0` means it is not. - --------------------------------------------------------------------------------- - -via: https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw - -作者:[Linode ][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw -[1]:https://www.linode.com/docs/getting-started -[2]:https://www.linode.com/docs/security/securing-your-server -[3]:http://localhost:4567/docs/security/firewalls/configure-firewall-with-ufw#enable-the-firewall diff --git a/translated/tech/20161201 How to Configure a Firewall with UFW.md b/translated/tech/20161201 How to Configure a Firewall with UFW.md new file mode 100644 index 0000000000..e06defee70 --- /dev/null +++ b/translated/tech/20161201 How to Configure a Firewall with UFW.md @@ -0,0 +1,251 @@ +如何用UFW配置防火墙 +============================================================ + +UFW或者称之为_uncomplicated firewall_,是一个Arch Linux、Debian或Ubuntu中管理防火墙规则的前端。 UFW通过命令行使用(尽管它有可用的GUI),它的目的是使防火墙配置简单(或不复杂)。 + + ![How to Configure a Firewall with UFW](https://www.linode.com/docs/assets/ufw_tg.png "How to Configure a Firewall with UFW") + +### 开始之前 + +1. 熟悉我们的[入门][1]指南,并完成设置Linode主机名和时区的步骤。 + +2. 本指南将尽可能使用`sudo`。 完成[保护你的服务器][2]指南的部分创建一个标准用户帐户,加强SSH访问和删除不必要的网络服务。 **不要**遵循创建防火墙部分 - 本指南是介绍使用UFW的,它对于iptables而言是一个单独的控制防火墙的方法。 + +3. 升级系统 + + **Arch Linux** + + ``` + sudo pacman -Syu + ``` + + + **Debian / Ubuntu** + + ``` + sudo apt-get update && sudo apt-get upgrade + ``` + + +### 安装 UFW + +UFW默认包含在Ubuntu中,但必须安装在Arch和Debian中。 Debian将自动启用UFW的systemd单元,并使其在重新启动时启动,但Arch不会。 _这与告诉UFW启用防火墙规则不同_,因为使用systemd或者upstart启用UFW仅告知init系统打开UFW守护程序。 + +默认情况下,UFW的规则集为空,因此即使守护程序正在运行,也不会强制执行任何防火墙规则。 强制执行防火墙规则集的部分[在下面][3]。 + +### Arch Linux + +1. 安装 UFW: + + ``` + sudo pacman -S ufw + ``` + + +2. 启动并启用UFW的systemd单元: + + ``` + sudo systemctl start ufw + sudo systemctl enable ufw + ``` + +### Debian / Ubuntu + +1. 安装 UFW + + ``` + sudo apt-get install ufw + ``` + + +### 使用UFW管理防火墙规则 + +### 设置默认规则 + +大多数系统只需要少量的端口打开传入连接,并且所有剩余的端口都关闭。 要一个简单的规则基础开始,`ufw default`命令可以用于设置对传入和传出连接的默认响应。 要拒绝所有传入并允许所有传出连接,那么运行: + +``` +sudo ufw default allow outgoing +sudo ufw default deny incoming +``` + + +`ufw default`也允许使用`reject`参数。 + +> 除非明确允许规则,否则配置默认deny或reject规则会锁定你的Linode。确保在应用默认deny或reject规则之前,已按照下面的部分配置了SSH和其他关键服务的允许规则。 + +### 添加规则 + +可以有两种方式添加规则:用**端口号**或者**服务名**表示。 + +要允许SSH的22端口的传入和传出连接,你可以运行: + +``` +sudo ufw allow ssh +``` + +你也可以运行: + +``` +sudo ufw allow 22 +``` + +相似的,要在特定端口(比如111)上**deny**流量,你需要运行: + +``` +sudo ufw deny 111 +``` + +为了更好地调整你的规则,你也可以允许基于TCP或者UDP的包。下面例子会允许80端口的TCP包: + + +``` +sudo ufw allow 80/tcp +sudo ufw allow http/tcp +``` + +这个会允许1725端口上的UDP包: + + +``` +sudo ufw allow 1725/udp +``` + + +### 高级规则 + +除了基于端口的允许或阻止,UFW还允许您通过IP地址、子网和IP地址/子网/端口组合来允许/阻止。 + +允许从IP地址连接: + +``` +sudo ufw allow from 123.45.67.89 +``` + + +允许特定子网的连接: + +``` +sudo ufw allow from 123.45.67.89/24 +``` + +允许特定IP/端口组合: + +``` +sudo ufw allow from 123.45.67.89 to any port 22 proto tcp +``` + + +`proto tcp`可以删除或者根据你的需求变成`proto udp`,所有例子的`allow`都可以根据需要变成`deny`。 + +### 删除规则 + +要删除一条规则,在规则的前面加上`delete`。如果你希望不在允许HTTP流量,你可以运行: + + +``` +sudo ufw delete allow 80 +``` + +删除规则同样允许基于服务名。 + +### 编辑UFW的配置文件 + +虽然可以通过命令行添加简单的规则,但仍有可能需要添加或删除更高级或特定的规则。 在通过终端运行规则输入之前,UFW将运行一个文件`before.rules`,它允许回环、ping和DHCP。要添加或改变这些规则,编辑`/etc/ufw/before.rules`这个文件。 `before6.rules`文件也位于IPv6的同一目录中。 + +还存在一个`after.rule`和`after6.rule`文件,用于添加在UFW运行添加命令行规则后需要添加的任何规则。 + +额外的配置文件位于`/etc/default/ufw`。 从此处可以禁用或启用IPv6,可以设置默认规则,并可以设置UFW以管理内置防火墙链。 + +### UFW状态 + +你可以在任何时候使用命令:`sudo ufw status`查看UFW的状态。这会显示所有规则列表,以及UFW是否是激活状态: + +``` +Status: active + +To Action From +-- ------ ---- +22 ALLOW Anywhere +80/tcp ALLOW Anywhere +443 ALLOW Anywhere +22 (v6) ALLOW Anywhere (v6) +80/tcp (v6) ALLOW Anywhere (v6) +443 (v6) ALLOW Anywhere (v6) +``` + +### 启用防火墙 + +随着你选择规则完成,你初始运行`ufw status`可能会输出`Status: inactive`。 启用UFW并强制执行防火墙规则: + +``` +sudo ufw enable +``` + +相似地,禁用UFW规则: + +``` +sudo ufw disable +``` + +> 这让UFW继续运行并且在下次启动时再次启动。 + +### 日志记录 + +你可以用下面的命令启动日志记录: + +``` +sudo ufw logging on +``` + +可以通过运行`sudo ufw logging low|medium|high`设计日志级别,可以选择`low`、 `medium` 或者 `high`。默认级别是`low`。 + +常规日志类似于下面这样,位于`/var/logs/ufw`: + +``` +Sep 16 15:08:14 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=123.45.67.89 DST=987.65.43.21 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=8475 PROTO=TCP SPT=48247 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0 +``` + + +初始的值有你的Linode的日期、时间、主机名。额外的信息包括: + +* ** [UFW BLOCK]:**此位置是记录事件的描述所在的位置。在这种例子中,它阻止了连接。 + +* ** IN:**如果这包含一个值,那么事件传入的 + +* ** OUT:**如果这包含一个值,那么事件是传出的 + +* ** MAC:**目的地和源MAC地址的组合 + +* ** SRC:**包源的IP + +* ** DST:**包目的地的IP + +* ** LEN:**数据包长度 + +* ** TTL:**数据包TTL,或称为_time to live_。 如果没有找到目的地,它将在路由器之间跳跃,直到它过期。 + +* ** PROTO:**数据包的协议 + +* ** SPT:**包的源端口 + +* ** DPT:**包的目标端口 + +* ** WINDOW:**发送方可以接收的数据包的大小 + +* ** SYN URGP:**指示是否需要三次握手。 `0`表示不是。 + +-------------------------------------------------------------------------------- + +via: https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw + +作者:[Linode ][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw +[1]:https://www.linode.com/docs/getting-started +[2]:https://www.linode.com/docs/security/securing-your-server +[3]:http://localhost:4567/docs/security/firewalls/configure-firewall-with-ufw#enable-the-firewall From 4764fa71401b705aaf71d6a495995dce1f031680 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 15:06:50 +0800 Subject: [PATCH 091/181] translating --- ...on-Interactive SSH Login – Never Use on Production Server.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md b/sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md index ea19bdb0bf..2259351d08 100644 --- a/sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md +++ b/sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md @@ -1,3 +1,5 @@ +translating---geekpi + sshpass: An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server ============================================================ From 3af6c5759315a41a5084f9d8c53d4dc3d008830c Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 15:37:42 +0800 Subject: [PATCH 092/181] translated --- ... Login – Never Use on Production Server.md | 58 +++++++++---------- 1 file changed, 28 insertions(+), 30 deletions(-) rename {sources => translated}/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md (50%) diff --git a/sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md b/translated/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md similarity index 50% rename from sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md rename to translated/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md index 2259351d08..56f39e0046 100644 --- a/sources/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md +++ b/translated/tech/20161216 sshpass -An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server.md @@ -1,34 +1,32 @@ -translating---geekpi - -sshpass: An Excellent Tool for Non-Interactive SSH Login – Never Use on Production Server +sshpass:一个很棒的无交互SSH登录工具 - 不要在生产服务器上使用 ============================================================ -In most cases, Linux system administrators login to remote Linux servers using SSH either by supplying a password, or [passwordless SSH login][1], or keybased SSH authentication. +在大多数情况下,Linux系统管理员使用SSH通过密码或[无密码SSH登录][1]或基于密钥的SSH身份验证登录到远程Linux服务器。 -What if you want to supply a password along with username to SSH prompt itself? this is where sshpass comes to rescue. +如果你想自动在SSH中提供密码和用户名怎么办?这是可以用sshpass了。 -sshpass is a simple and lightweight command line tool that enables us to provide password (non-interactive password authentication) to the command prompt itself, so that automated shell scripts can be executed to take backups via [cron scheduler][2]. +sshpass是一个简单、轻量级的命令行工具,使我们能够向命令提示符本身提供密码(非交互式密码验证),以便可以通过[cron调度器][2]执行自动化的shell脚本进行备份。 -ssh uses straight TTY access to make sure that the password is actually supplied by an interactive keyboard user. Sshpass runs ssh in a devoted tty, mislead it into believing that it is receiving the password from an interactive user. +ssh直接使用TTY访问,以确保密码是用户键盘输入的。 sshpass在专门的tty中运行ssh,以误导它相信它是从用户接收到的密码。 -Important: Using sshpass considered to be least secure, as it reveals the password to all system users on the command line with simple “ps” command. I highly recommend using [SSH Passwordless authentication][3]. +重要:使用sshpass被认为是最不安全的,因为它通过简单的“ps”命令就可在命令行上显示所有系统用户的密码。我强烈建议使用[SSH无密码身份验证][3]。 -### Install sshpass on Linux Systems +### 在Linux中安装sshpass -In RedHat/CentOS based systems, first you need to [enable Epel repository][4] on your system to install it using [yum command][5] as shown. +在基于RedHat/CentOS的系统中,首先需要[启用Epel仓库][4]并使用[yum命令安装][5]它。 ``` # yum install sshpass # dnf install sshpass [On Fedora 22+ versions] ``` -On Debian/Ubuntu and its derivatives, you can install it using [apt-get command][6] as shown. +在Debian/Ubuntu和它的衍生版中,你可以使用[apt-get命令][6]来安装。 ``` $ sudo apt-get install sshpass ``` -Alternatively, you can install from source to have latest version of sshpass, first download the source code and then extract contents of the tar file and install it like so: +另外你也可以从最新的源码安装sshpass,首先下载源码并从tar文件中解压出内容: ``` $ wget http://sourceforge.net/projects/sshpass/files/latest/download -O sshpass.tar.gz @@ -38,9 +36,9 @@ $ ./configure # sudo make install ``` -### How to Use sshpass in Linux +### 如何在Linux中使用sshpass -sshpass is used together with ssh, you can view all the sshpass usage options with full descriptions by issuing the command below: +sshpass与ssh一起使用,可以使用下面的命令查看sshpass的使用使用选项的完整描述: ``` $ sshpass -h @@ -58,23 +56,23 @@ With no parameters - password will be taken from stdin At most one of -f, -d, -p or -e should be used ``` -As I mentioned before, sshpass is more reliable and useful for scripting purposes, consider the example commands below. +正如我之前提到的,sshpass在用于脚本时才更可靠及更有用,考虑下面的示例命令。 -Login to remote Linux ssh server (10.42.0.1) with the username and password and [check the file-system disk usage][7] of remote system as shown. +使用用户名和密码登录到远程Linux ssh服务器(10.42.0.1),并如图所示[检查文件系统磁盘使用情况] [7]。 ``` $ sshpass -p 'my_pass_here' ssh aaronkilik@10.42.0.1 'df -h' ``` -Important: Here, the password is provided on the command line which is practically unsecure and using this option is not recommended. +重要提示:此处,密码在命令行中提供,实际上不安全,不建议使用此选项。 [ ![sshpass - Linux Remote Login via SSH](http://www.tecmint.com/wp-content/uploads/2016/12/sshpass-Linux-Remote-Login.png) ][8] -sshpass – Linux Remote Login via SSH +sshpass – 使用SSH远程登录Linux -However, to prevent showing password on the screen, you can use the `-e` flag and enter the password as a value of the SSHPASS environment variable as below: +但是,为了防止在屏幕上显示密码,可以使用`-e`标志,并输入密码作为SSHPASS环境变量的值,如下所示: ``` $ export SSHPASS='my_pass_here' @@ -85,23 +83,23 @@ $ sshpass -e ssh aaronkilik@10.42.0.1 'df -h' ![sshpass - Hide Password in Prompt](http://www.tecmint.com/wp-content/uploads/2016/12/sshpass-Hide-Password-in-Prompt.png) ][9] -sshpass – Hide Password in Prompt +sshpass – 在终端中隐藏密码 -Note: In the example above, SSHPASS environment variable is for temporary purpose only and will be removed during reboot. +注意:在上面的示例中,SSHPASS环境变量仅用于临时目的,并将在重新启动后删除。 -To permanently set the SSHPASS environment variable, open the /etc/profile file and type the export statement at the beginning of the file: +要永久设置SSHPASS环境变量,打开/etc/profile文件,并在文件开头输入export语句: ``` export SSHPASS='my_pass_here' ``` -Save the file and exit, then run the command below to effect the changes: +保存文件并退出,接着运行下面的命令使更改生效: ``` $ source /etc/profile ``` -On the other hand, you can also use the `-f` flag and put the password in a file. This way, you can read the password from the file as follows: +另一方面,你也可以使用`-f'标志,并把密码放在一个文件中。 这样,您可以从文件中读取密码,如下所示: ``` $ sshpass -f password_filename ssh aaronkilik@10.42.0.1 'df -h' @@ -110,9 +108,9 @@ $ sshpass -f password_filename ssh aaronkilik@10.42.0.1 'df -h' ![sshpass - Supply Password File to Login](http://www.tecmint.com/wp-content/uploads/2016/12/sshpass-Provide-Password-File.png) ][10] -sshpass – Supply Password File to Login +sshpass – 在登录时提供密码文件 -You can also use sshpass to [transfer files using scp][11] or [backup/sync files over rsync][12] using SSH as shown: +你也可以使用sshpass[使用scp传输文件][11]或者[使用rsync备份/同步文件][12],如下所示: ``` ------- Transfer Files Using SCP ------- @@ -121,15 +119,15 @@ $ scp -r /var/www/html/example.com --rsh="sshpass -p 'my_pass_here' ssh -l aaron $ rsync --rsh="sshpass -p 'my_pass_here' ssh -l aaronkilik" 10.42.0.1:/data/backup/ /backup/ ``` -For more usage, I suggest you to read through the sshpass man page, type: +更多的用法,我建议你阅读一下sshpass的man页面,输入: ``` $ man sshpass ``` -In this article, we explained sshpass a simple tool that enables non-interactive password authentication. Although, this tools may be helpful, it is highly recommended to use ssh’s more secure public key authentication mechanism. +在本文中,我们解释了sshpass是一个启用非交互式密码验证的简单工具。 虽然这个工具可能是有帮助的,但是强烈建议使用更安全的ssh公钥认证机制。 -Please, do leave a question or comment via the feedback section below for any further discussions. +请在下面的评论栏写下任何问题或评论,以便可以进一步讨论。 -------------------------------------------------------------------------------- @@ -140,7 +138,7 @@ Please, do leave a question or comment via the feedback section below for any fu via: http://www.tecmint.com/sshpass-non-interactive-ssh-login-shell-script-ssh-password/ 作者:[Aaron Kili][a] -译者:[译者ID](https://github.com/译者ID) +译者:[geekpi](https://github.com/geekpi) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From e0c31ab29bfd84674350babec48c55e2a5e44b64 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 15:39:28 +0800 Subject: [PATCH 093/181] translating --- ...Website URL from One Server to Different Server in Apache.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md b/sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md index 4e7f0fae56..10e7faec92 100644 --- a/sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md +++ b/sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md @@ -1,3 +1,5 @@ +translating---geekpi + Redirect a Website URL from One Server to Different Server in Apache ============================================================ From f52e15fbd1f70370d5141d380fdbe8b445fec0f6 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 15:54:54 +0800 Subject: [PATCH 094/181] translated --- ...ne Server to Different Server in Apache.md | 65 ------------------- ...ne Server to Different Server in Apache.md | 63 ++++++++++++++++++ 2 files changed, 63 insertions(+), 65 deletions(-) delete mode 100644 sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md create mode 100644 translated/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md diff --git a/sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md b/sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md deleted file mode 100644 index 10e7faec92..0000000000 --- a/sources/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md +++ /dev/null @@ -1,65 +0,0 @@ -translating---geekpi - -Redirect a Website URL from One Server to Different Server in Apache -============================================================ - -As promised in our previous two articles ([Perform Internal Redirection with mod_rewrite][1] and [Show Custom Content Based on Browser][2]), in this post we will explain how to perform a redirection to a resource that has been moved from one server to a different server in Apache using mod_rewrite module. - -Suppose you are redesigning your company’s Intranet site. You have decided to store the content and styling (HTML files, JavaScript, and CSS) on one server and the documentation on another – perhaps a more robust one. - -**Suggested Read:** [5 Tips to Boost the Performance of Your Apache Web Server][3] - -However, you want this change to be transparent to your users so that they are still able to access the docs at the usual URL. - -In the following example, a file named `assets.pdf` has been moved from /var/www/html in 192.168.0.100(hostname: web) to the same location in 192.168.0.101 (hostname: web2). - -In order for users to access this file when they browse to `192.168.0.100/assets.pdf`, open Apache’s configuration file on 192.168.0.100 and add the following rewrite rule (or you can also add the following rule to your [.htaccess file][4]): - -``` -RewriteRule "^(/assets\.pdf$)" "http://192.168.0.101$1" [R,L] -``` - -where `$1` is a placeholder for anything that matches the regular expression inside parentheses. - -Now save changes, don’t forget to restart Apache, and let’s see what happens when we attempt to access assets.pdf by browsing to 192.168.0.100/assets.pdf: - -**Suggested Read:** [25 Useful ‘.htaccess’ Tricks for Websites][5] - -In the above below we can see that the request that was made for assets.pdf on 192.168.0.100 was actually handled by 192.168.0.101. - -``` -# tail -n 1 /var/log/apache2/access.log -``` -[ - ![Check Apache Logs](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Apache-Logs.png) -][6] - -Check Apache Logs - -In this article we have discussed how to perform a redirection to a resource that has been moved to a different server. To wrap up, I’d strongly suggest you take a look at the [mod_rewrite][7] guide and [Apache redirect guide][8] for future reference. - -As always, feel free to use the comment form below if you have any concerns about this article. We look forward to hearing from you! - --------------------------------------------------------------------------------- - -作者简介:Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work. - ------------ - -via: http://www.tecmint.com/redirect-website-url-from-one-server-to-different-server/ - -作者:[Gabriel Cánepa][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:http://www.tecmint.com/author/gacanepa/ -[1]:http://www.tecmint.com/redirection-with-mod_rewrite-in-apache/ -[2]:http://www.tecmint.com/mod_rewrite-redirect-requests-based-on-browser/ -[3]:http://www.tecmint.com/apache-performance-tuning/ -[4]:http://www.tecmint.com/tag/htaccess/ -[5]:http://www.tecmint.com/apache-htaccess-tricks/ -[6]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Apache-Logs.png -[7]:http://mod-rewrite-cheatsheet.com/ -[8]:https://httpd.apache.org/docs/2.4/rewrite/remapping.html diff --git a/translated/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md b/translated/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md new file mode 100644 index 0000000000..be65f0eb6e --- /dev/null +++ b/translated/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md @@ -0,0 +1,63 @@ +在Apache中重定向URL从一台服务器到另外一台服务器上 +============================================================ + +如我们前面两篇文章([使用mod_rewrite执行内部重定向][1]和[基于浏览器显示自定义内容][2])中所承诺的,在本文中,我们将解释如何在Apache中使用mod_rewrite模块将已移动的资源重定向到不同服务器上。 + +假设你正在重新设计公司的网站。你已决定将内容和样式(HTML文件,JavaScript和CSS)存储在一个服务器上,将文档存储在另一个服务器上 - 这样可能会更稳健。 + +**建议阅读:** [5个提高Apache Web服务器性能的提示][3] + +但是,你希望这个更改对用户透明,以便他们仍然能够通过常用网址访问文档。 + +在下面的例子中,名为“assets.pdf”的文件已从192.168.0.100(主机名:web)中的/var/www /html移动到192.168.0.101(主机名:web2)中的相同位置。 + +为了让用户在浏览到“192.168.0.100/assets.pdf”时访问此文件,请打开192.168.0.100上的Apache配置文件并添加以下重写规则(或者也可以将以下规则添加到[.htaccess文件][4])中: + +``` +RewriteRule "^(/assets\.pdf$)" "http://192.168.0.101$1" [R,L] +``` + +其中`$1`是与括号中的正则表达式匹配的任何内容的占位符。 + +现在保存更改,不要忘记重新启动Apache,让我们看看当我们打开192.168.0.100/assets.pdf,尝试访问assets.pdf时会发生什么: + +**建议阅读:** [25有用的网站的'.htaccess'技巧] [5] + +在下面我们就可以看到,为192.168.0.100上的assets.pdf所做的请求实际上是由192.168.0.101处理的。 + +``` +# tail -n 1 /var/log/apache2/access.log +``` +[ + ![Check Apache Logs](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Apache-Logs.png) +][6] + +检查Apache日志 + +在本文中,我们讨论了如何对已移动到其他服务器的资源进行重定向。 总而言之,我强烈建议你看看[mod_rewrite][7]指南和[Apache重定向指南][8],以供将来参考。 + +一如既往那样,如果您对本文有任何疑虑,请随时使用下面的评论栏回复。 我们期待你的回音! + +-------------------------------------------------------------------------------- + +作者简介:Gabriel Cánepa是来自阿根廷圣路易斯Villa Mercedes的GNU/Linux系统管理员和Web开发人员。 他在一家全球领先的消费品公司工作,非常高兴使用FOSS工具来提高他日常工作领域的生产力。 + +----------- + +via: http://www.tecmint.com/redirect-website-url-from-one-server-to-different-server/ + +作者:[Gabriel Cánepa][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/gacanepa/ +[1]:http://www.tecmint.com/redirection-with-mod_rewrite-in-apache/ +[2]:http://www.tecmint.com/mod_rewrite-redirect-requests-based-on-browser/ +[3]:http://www.tecmint.com/apache-performance-tuning/ +[4]:http://www.tecmint.com/tag/htaccess/ +[5]:http://www.tecmint.com/apache-htaccess-tricks/ +[6]:http://www.tecmint.com/wp-content/uploads/2016/11/Check-Apache-Logs.png +[7]:http://mod-rewrite-cheatsheet.com/ +[8]:https://httpd.apache.org/docs/2.4/rewrite/remapping.html From bf0a7dd1edaa44aa4bc564705e24327a64d2ab3d Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 15:57:20 +0800 Subject: [PATCH 095/181] translating --- ...206 How to Find Recent or Today’s Modified Files in Linux.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md b/sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md index 5a3990ba62..25b38f6dc7 100644 --- a/sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md +++ b/sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md @@ -1,3 +1,5 @@ +translating---geekpi + How to Find Recent or Today’s Modified Files in Linux ============================================================ From 895f6e719d6d44f64107be137530af0eb663c9ff Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 16:26:44 +0800 Subject: [PATCH 096/181] translated --- ...cent or Today’s Modified Files in Linux.md | 120 ------------------ ...cent or Today’s Modified Files in Linux.md | 119 +++++++++++++++++ 2 files changed, 119 insertions(+), 120 deletions(-) delete mode 100644 sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md create mode 100644 translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md diff --git a/sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md b/sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md deleted file mode 100644 index 25b38f6dc7..0000000000 --- a/sources/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md +++ /dev/null @@ -1,120 +0,0 @@ -translating---geekpi - -How to Find Recent or Today’s Modified Files in Linux -============================================================ - -In this article, we will explain two, simple [command line tips][5] that enable you to only list all today’s files. - -One of the common problems Linux users encounter on the command line is [locating files with a particular name][6], it can be much easier when you actually know the filename. - -However, assuming that you have forgotten the name of a file that you created (in your `home` folder which contains hundreds of files) at an earlier time during the day and yet you need to use urgently. - -Below are different ways of only [listing all files that you created or modified][7] (directly or indirectly) today. - -1. Using the [ls command][8], you can only list today’s files in your home folder as follows, where: - -1. `-a` – list all files including hidden files -2. `-l` – enables long listing format -3. `--time-style=FORMAT` – shows time in the specified FORMAT -4. `+%D` – show/use date in %m/%d/%y format - -``` -# ls -al --time-style=+%D | grep 'date +%D' -``` -[ - ![Find Recent Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Recent-Files-in-Linux.png) -][9] - -Find Recent Files in Linux - -In addition, you can [sort the resultant list alphabetically][10] by including the `-X` flag: - -``` -# ls -alX --time-style=+%D | grep 'date +%D' -``` - -You can also list based on size (largest first) using the `-S` flag: - -``` -# ls -alS --time-style=+%D | grep 'date +%D' -``` - -2. Again, it is possible to use the [find command][11] which is practically more flexible and offers plenty of options than ls, for the same purpose as below. - -1. `-maxdepth` level is used to specify the level (in terms of sub-directories) below the starting point (current directory in this case) to which the search operation will be carried out. -2. `-newerXY`, this works if timestamp X of the file in question is newer than timestamp Y of the file reference. X and Y represent any of the letters below: - 1. a – access time of the file reference - 2. B – birth time of the file reference - 3. c – inode status change time of reference - 4. m – modification time of the file reference - 5. t – reference is interpreted directly as a time - -This means that, only files modified on 2016-12-06 will be considered: - -``` -# find . -maxdepth 1 -newermt "2016-12-06" -``` -[ - ![Find Today's Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Files-in-Linux.png) -][12] - -Find Today’s Files in Linux - -Important: Use the correct date format as reference in the [find command][13] above, once you use a wrong format, you will get an error as the one below: - -``` -# find . -maxdepth 1 -newermt "12-06-2016" -find: I cannot figure out how to interpret '12-06-2016' as a date or time -``` - -Alternatively, use the correct formats below: - -``` -# find . -maxdepth 1 -newermt "12/06/2016" -OR -# find . -maxdepth 1 -newermt "12/06/16" -``` -[ - ![Find Todays Modified Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Modified-Files.png) -][14] - -Find Todays Modified Files in Linux - -You can get more usage information for `ls` and `find` commands in our following series of articles on same. - -1. [Master Linux ‘ls’ Command with This 15 Examples][1] -2. [Useful 7 Quirky ‘ls’ Tricks for Linux Users][2] -3. [Master Linux ‘find’ Command with This 35 Examples][3] -4. [Ways to Find Multiple Filenames with Extensions in Linux][4] - -In this article, we explained two important tips of how to list only today’s files with the help of ls and find commands. Make use of the feedback form below to send us any question(s) or comments about the topic. You can as well inform us of any commands used for the same goal. - --------------------------------------------------------------------------------- - -作者简介:Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge. - ------------------- - -via: http://www.tecmint.com/find-recent-modified-files-in-linux/ - -作者:[ Aaron Kili][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:http://www.tecmint.com/author/aaronkili/ -[1]:http://www.tecmint.com/15-basic-ls-command-examples-in-linux/ -[2]:http://www.tecmint.com/linux-ls-command-tricks/ -[3]:http://www.tecmint.com/35-practical-examples-of-linux-find-command/ -[4]:http://www.tecmint.com/linux-find-command-to-search-multiple-filenames-extensions/ -[5]:http://www.tecmint.com/tag/linux-tricks/ -[6]:http://www.tecmint.com/linux-find-command-to-search-multiple-filenames-extensions/ -[7]:http://www.tecmint.com/sort-ls-output-by-last-modified-date-and-time/ -[8]:http://www.tecmint.com/tag/linux-ls-command/ -[9]:http://www.tecmint.com/wp-content/uploads/2016/12/Find-Recent-Files-in-Linux.png -[10]:http://www.tecmint.com/sort-command-linux/ -[11]:http://www.tecmint.com/35-practical-examples-of-linux-find-command/ -[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Files-in-Linux.png -[13]:http://www.tecmint.com/find-directory-in-linux/ -[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Modified-Files.png diff --git a/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md b/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md new file mode 100644 index 0000000000..f77e55014b --- /dev/null +++ b/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md @@ -0,0 +1,119 @@ +如何在Linux中找出最近或今天被修改的文件 +============================================================ + +在本文中,我们将解释两个简单的[命令行小贴士][5],它可以帮你列出今天的所有文件。 + +Linux用户在命令行上遇到的常见问题之一是[定位具有特定名称的文件][6],当你知道真实的文件名时可能会容易得多。 + +但是,假设你忘记了在白天早些时候创建的文件的名称(在你包含了数百个文件的`home`文件夹中),但你有急用。 + +下面用不同的方式只[列出所有你今天创建或修改的文件][7](直接或间接)。 + +1.使用[ls命令][8],你只能按如下所示在你的home文件夹中列出今天的文件,其中: + +1. `-a` - 列出所有文件,包括隐藏文件 +2. `-l` - 启用长列表格式 +3. `--time-style = FORMAT` - 显示指定FORMAT的时间 +4. `+%D` - 以%m/%d/%y格式显示/使用日期 + +``` +# ls -al --time-style=+%D | grep 'date +%D' +``` +[ + ![Find Recent Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Recent-Files-in-Linux.png) +][9] + +在Linux中找出最近的文件 + +In addition, you can [sort the resultant list alphabetically][10] by including the `-X` flag: +此外,你使用可以`-X`标志来[按字母顺序对结果排序][10]: + +``` +# ls -alX --time-style=+%D | grep 'date +%D' +``` + +你也可以使用`-S`标志来基于大小(大的优先)来排序: + +``` +# ls -alS --time-style=+%D | grep 'date +%D' +``` + +2. 另外使用[find命令][11]会更灵活,并且提供比ls更多的选项,用于以下相同的目的。 + +1. `-maxdepth`级别用于指定要执行搜索操作的起点(在这个情况下为当前目录)下的搜索层级(按子目录)。 +2. `-newerXY`,如果有问题的文件的时间戳X比引用文件的时间戳Y更新,那么这个就能用了。 X和Y表示以下任何字母: +     1. a - 文件引用的访问时间 +     2. B - 文件引用的创建时间 +     3. c - 文件引用的inode状态改变时间 +     4.m - 文件引用的修改时间 +     5. t - 引用直接解释为一个时间 + +下面的命令意味着只有在2016-12-06修改的文件将被找出: + +``` +# find . -maxdepth 1 -newermt "2016-12-06" +``` +[ + ![Find Today's Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Files-in-Linux.png) +][12] + +在Linux中找出今天的文件 + +重要:使参考上面的[find命令][13]中正确的日期格式,一旦你使用了错误的格式,你会得到如下错误: + +``` +# find . -maxdepth 1 -newermt "12-06-2016" +find: I cannot figure out how to interpret '12-06-2016' as a date or time +``` + +或者使用下面正确的格式: + +``` +# find . -maxdepth 1 -newermt "12/06/2016" +或者 +# find . -maxdepth 1 -newermt "12/06/16" +``` +[ + ![Find Todays Modified Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Modified-Files.png) +][14] + +在Linux中找出今天修改的文件 + +你可以在我们的下面一系列文章中获得`ls`和`find`命令的更多使用信息。 + +1. [用15例子的掌握Linux ‘ls’ 命令][1] +2. [对Linux用户有用的7个奇怪的技巧][2] +3. [用35个例子掌握Linux ‘find’ 命令][3] +4. [在Linux中使用扩展查找多个文件名的方法][4] + +在本文中,我们解释了如何使用ls和find命令帮助只列出今天的文件。 使用以下反馈栏向我们发送有关该主题的任何问题或意见。 你也可以提醒我们其他可以用于这个目的的命令。 + +-------------------------------------------------------------------------------- + +作者简介:Aaron Kili是一名Linux和F.O.S.S的爱好者,将来的Linux系统管理员、网站开发人员,目前是TecMint的内容创作者,他喜欢用电脑工作,并坚信分享知识。 + +------------------ + +via: http://www.tecmint.com/find-recent-modified-files-in-linux/ + +作者:[Aaron Kili][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/aaronkili/ +[1]:http://www.tecmint.com/15-basic-ls-command-examples-in-linux/ +[2]:http://www.tecmint.com/linux-ls-command-tricks/ +[3]:http://www.tecmint.com/35-practical-examples-of-linux-find-command/ +[4]:http://www.tecmint.com/linux-find-command-to-search-multiple-filenames-extensions/ +[5]:http://www.tecmint.com/tag/linux-tricks/ +[6]:http://www.tecmint.com/linux-find-command-to-search-multiple-filenames-extensions/ +[7]:http://www.tecmint.com/sort-ls-output-by-last-modified-date-and-time/ +[8]:http://www.tecmint.com/tag/linux-ls-command/ +[9]:http://www.tecmint.com/wp-content/uploads/2016/12/Find-Recent-Files-in-Linux.png +[10]:http://www.tecmint.com/sort-command-linux/ +[11]:http://www.tecmint.com/35-practical-examples-of-linux-find-command/ +[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Files-in-Linux.png +[13]:http://www.tecmint.com/find-directory-in-linux/ +[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Modified-Files.png From d786031775966e0b5ae3ca0bd2f2a98ee540ff6d Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 16:30:35 +0800 Subject: [PATCH 097/181] translating --- sources/tech/20160516 Securing Your Server.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20160516 Securing Your Server.md b/sources/tech/20160516 Securing Your Server.md index a5b0f29606..299811a30d 100644 --- a/sources/tech/20160516 Securing Your Server.md +++ b/sources/tech/20160516 Securing Your Server.md @@ -1,3 +1,5 @@ +translating---geekpi + Securing Your Server ============================================================ From 2ce8da1c2b6216aaa3eaf6aa6f952a44e5b285d8 Mon Sep 17 00:00:00 2001 From: "Fuliang.Li" Date: Thu, 29 Dec 2016 03:02:45 -0600 Subject: [PATCH 098/181] Update 20161201 Using the NTP time synchronization.md --- sources/tech/20161201 Using the NTP time synchronization.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161201 Using the NTP time synchronization.md b/sources/tech/20161201 Using the NTP time synchronization.md index eb0f80da7f..833ce1afe4 100644 --- a/sources/tech/20161201 Using the NTP time synchronization.md +++ b/sources/tech/20161201 Using the NTP time synchronization.md @@ -1,3 +1,5 @@ +GHLandy Translating + 使用 NTP 进行时间同步 ============================================================ From bb34add13e5aec3bad3d379731890cc232b12173 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 29 Dec 2016 20:28:28 +0800 Subject: [PATCH 099/181] translated --- sources/tech/20160516 Securing Your Server.md | 382 ------------------ .../tech/20160516 Securing Your Server.md | 378 +++++++++++++++++ 2 files changed, 378 insertions(+), 382 deletions(-) delete mode 100644 sources/tech/20160516 Securing Your Server.md create mode 100644 translated/tech/20160516 Securing Your Server.md diff --git a/sources/tech/20160516 Securing Your Server.md b/sources/tech/20160516 Securing Your Server.md deleted file mode 100644 index 299811a30d..0000000000 --- a/sources/tech/20160516 Securing Your Server.md +++ /dev/null @@ -1,382 +0,0 @@ -translating---geekpi - -Securing Your Server -============================================================ - -### Update Your System–Frequently - -Keeping your software up to date is the single biggest security precaution you can take for any operating system. Software updates range from critical vulnerability patches to minor bug fixes, and many software vulnerabilities are actually patched by the time they become public. - -### Automatic Security Updates - -There are arguments for and against automatic updates on servers. [Fedora’s Wiki][15] has a good breakdown of the pros and cons, but the risk of automatic updates will be minimal if you limit them to security updates. - -The practicality of automatic updates is something you must judge for yourself because it comes down to what _you_ do with your Linode. Bear in mind that automatic updates apply only to packages sourced from repositories, not self-compiled applications. You may find it worthwhile to have a test environment that replicates your production server. Updates can be applied there and reviewed for issues before being applied to the live environment. - -* CentOS uses _[yum-cron][2]_ for automatic updates. - -* Debian and Ubuntu use _[unattended upgrades][3]_. - -* Fedora uses _[dnf-automatic][4]_. - -### Add a Limited User Account - -Up to this point, you have accessed your Linode as the `root` user, which has unlimited privileges and can execute _any_ command–even one that could accidentally disrupt your server. We recommend creating a limited user account and using that at all times. Administrative tasks will be done using `sudo` to temporarily elevate your limited user’s privileges so you can administer your server. - -> Not all Linux distributions include `sudo` on the system by default, but all the images provided by Linode have sudo in their package repositories. If you get the output `sudo: command not found`, install sudo before continuing. - -To add a new user, first [log in to your Linode][16] via SSH. - -### CentOS / Fedora - -1. Create the user, replacing `example_user` with your desired username, and assign a password: - -``` - useradd example_user && passwd example_user -``` - -2. Add the user to the `wheel` group for sudo privileges: - -``` - usermod -aG wheel example_user -``` - -### Ubuntu - -1. Create the user, replacing `example_user` with your desired username. You’ll then be asked to assign the user a password: - -``` - adduser example_user -``` - -2. Add the user to the `sudo` group so you’ll have administrative privileges: - - -``` - adduser example_user sudo -``` - -### Debian - -1. Debian does not include `sudo` among their default packages. Use `apt-get` to install it: - - -``` - apt-get install sudo -``` - -2. Create the user, replacing `example_user` with your desired username. You’ll then be asked to assign the user a password: - -``` - adduser example_user -``` - -3. Add the user to the `sudo` group so you’ll have administrative privileges: - -``` - adduser example_user sudo -``` - -After creating your limited user, disconnect from your Linode: - -``` -exit -``` - -Log back in as your new user. Replace `example_user` with your username, and the example IP address with your Linode’s IP address: - -``` -ssh example_user@203.0.113.10 -``` - -Now you can administer your Linode from your new user account instead of `root`. Nearly all superuser commands can be executed with `sudo` (example: `sudo iptables -L -nv`) and those commands will be logged to `/var/log/auth.log`. - -### Harden SSH Access - -By default, password authentication is used to connect to your Linode via SSH. A cryptographic key-pair is more secure because a private key takes the place of a password, which is generally much more difficult to brute-force. In this section we’ll create a key-pair and configure the Linode to not accept passwords for SSH logins. - -### Create an Authentication Key-pair - -1. This is done on your local computer, **not** your Linode, and will create a 4096-bit RSA key-pair. During creation, you will be given the option to encrypt the private key with a passphrase. This means that it cannot be used without entering the passphrase, unless you save it to your local desktop’s keychain manager. We suggest you use the key-pair with a passphrase, but you can leave this field blank if you don’t want to use one. - - **Linux / OS X** - - > If you’ve already created an RSA key-pair, this command will overwrite it, potentially locking you out of other systems. If you’ve already created a key-pair, skip this step. To check for existing keys, run `ls ~/.ssh/id_rsa*`. - -``` - ssh-keygen -b 4096 -``` - - - Press **Enter** to use the default names `id_rsa` and `id_rsa.pub` in `/home/your_username/.ssh` before entering your passphrase. - - **Windows** - - This can be done using PuTTY as outlined in our guide: [Use Public Key Authentication with SSH][6]. - -2. Upload the public key to your Linode. Replace `example_user` with the name of the user you plan to administer the server as, and `203.0.113.10` with your Linode’s IP address. - - **Linux** - - From your local computer: - -``` - ssh-copy-id example_user@203.0.113.10 -``` - - **OS X** - - On your Linode (while signed in as your limited user): - -``` - mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/ -``` - - From your local computer: - -``` - scp ~/.ssh/id_rsa.pub example_user@203.0.113.10:~/.ssh/authorized_keys -``` - - > `ssh-copy-id` is available in [Homebrew][5] if you prefer it over SCP. Install with `brew install ssh-copy-id`. - - **Windows** - - * **Option 1**: This can be done using [WinSCP][1]. In the login window, enter your Linode’s public IP address as the hostname, and your non-root username and password. Click _Login_ to connect. - - Once WinSCP has connected, you’ll see two main sections. The section on the left shows files on your local computer and the section on the right shows files on your Linode. Using the file explorer on the left, navigate to the file where you’ve saved your public key, select the public key file, and click _Upload_ in the toolbar above. - - You’ll be prompted to enter a path where you’d like to place the file on your Linode. Upload the file to `/home/example_user/.ssh/authorized_keys`, replacing `example_user` with your username. - - * **Option 2:** Copy the public key directly from the PuTTY key generator into the terminal emulator connected to your Linode (as a non-root user): - - ``` - mkdir ~/.ssh; nano ~/.ssh/authorized_keys - ``` - - - The above command will open a blank file called `authorized_keys` in a text editor. Copy the public key into the text file, making sure it is copied as a single line exactly as it was generated by PuTTY. Press **CTRL+X**, then **Y**, then **Enter** to save the file. - - Finally, you’ll want to set permissions for the public key directory and the key file itself: - -``` - sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys -``` - - These commands provide an extra layer of security by preventing other users from accessing the public key directory as well as the file itself. For more information on how this works, see our guide on [how to modify file permissions][7]. - -3. Now exit and log back into your Linode. If you specified a passphrase for your private key, you’ll need to enter it. - -### SSH Daemon Options - -1. **Disallow root logins over SSH.** This requires all SSH connections be by non-root users. Once a limited user account is connected, administrative privileges are accessible either by using `sudo` or changing to a root shell using `su -`. - -``` - # Authentication: - ... - PermitRootLogin no -``` - - -2. **Disable SSH password authentication.** This requires all users connecting via SSH to use key authentication. Depending on the Linux distribution, the line `PasswordAuthentication` may need to be added, or uncommented by removing the leading `#`. - - -``` - # Change to no to disable tunnelled clear text passwords - PasswordAuthentication no -``` - - > You may want to leave password authentication enabled if you connect to your Linode from many different computers. This will allow you to authenticate with a password instead of generating and uploading a key-pair for every device. - -3. **Listen on only one internet protocol.** The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your Linode using both protocols, disable whichever you do not need. _This does not disable the protocol system-wide, it is only for the SSH daemon._ - - Use the option: - - * `AddressFamily inet` to listen only on IPv4. - * `AddressFamily inet6` to listen only on IPv6. - - The `AddressFamily` option is usually not in the `sshd_config` file by default. Add it to the end of the file: - -``` - echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config -``` - - -4. Restart the SSH service to load the new configuration. - - If you’re using a Linux distribution which uses systemd (CentOS 7, Debian 8, Fedora, Ubuntu 15.10+) - -``` - sudo systemctl restart sshd -``` - - If your init system is SystemV or Upstart (CentOS 6, Debian 7, Ubuntu 14.04): - -``` - sudo service ssh restart -``` - -### Use Fail2Ban for SSH Login Protection - -[_Fail2Ban_][17] is an application that bans IP addresses from logging into your server after too many failed login attempts. Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access. - -Fail2Ban can monitor a variety of protocols including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only, and is a helpful security deterrent for any server since the SSH daemon is usually configured to run constantly and listen for connections from any remote IP address. - -For complete instructions on installing and configuring Fail2Ban, see our guide: [Securing Your Server with Fail2ban][18]. - -### Remove Unused Network-Facing Services - -Most Linux distributions install with running network services which listen for incoming connections from the internet, the loopback interface, or a combination of both. Network-facing services which are not needed should be removed from the system to reduce the attack surface of both running processes and installed packages. - -### Determine Running Services - -To see your Linode’s running network services: - -``` -sudo netstat -tulpn -``` - - -> If netstat isn’t included in your Linux distribution by default, install the package `net-tools` or use the `ss -tulpn`command instead. - -The following is an example of netstat’s output. Note that because distributions run different services by default, your output will differ: - - -``` -Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name -tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 7315/rpcbind -tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3277/sshd -tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3179/exim4 -tcp 0 0 0.0.0.0:42526 0.0.0.0:* LISTEN 2845/rpc.statd -tcp6 0 0 :::48745 :::* LISTEN 2845/rpc.statd -tcp6 0 0 :::111 :::* LISTEN 7315/rpcbind -tcp6 0 0 :::22 :::* LISTEN 3277/sshd -tcp6 0 0 ::1:25 :::* LISTEN 3179/exim4 -udp 0 0 127.0.0.1:901 0.0.0.0:* 2845/rpc.statd -udp 0 0 0.0.0.0:47663 0.0.0.0:* 2845/rpc.statd -udp 0 0 0.0.0.0:111 0.0.0.0:* 7315/rpcbind -udp 0 0 192.0.2.1:123 0.0.0.0:* 3327/ntpd -udp 0 0 127.0.0.1:123 0.0.0.0:* 3327/ntpd -udp 0 0 0.0.0.0:123 0.0.0.0:* 3327/ntpd -udp 0 0 0.0.0.0:705 0.0.0.0:* 7315/rpcbind -udp6 0 0 :::111 :::* 7315/rpcbind -udp6 0 0 fe80::f03c:91ff:fec:123 :::* 3327/ntpd -udp6 0 0 2001:DB8::123 :::* 3327/ntpd -udp6 0 0 ::1:123 :::* 3327/ntpd -udp6 0 0 :::123 :::* 3327/ntpd -udp6 0 0 :::705 :::* 7315/rpcbind -udp6 0 0 :::60671 :::* 2845/rpc.statd -``` - -Netstat tells us that services are running for [Remote Procedure Call][19] (rpc.statd and rpcbind), SSH (sshd), [NTPdate][20] (ntpd) and [Exim][21] (exim4). - -#### TCP - -See the **Local Address** column of the netstat readout. The process `rpcbind` is listening on `0.0.0.0:111` and `:::111` for a foreign address of `0.0.0.0:*` or `:::*`. This means that it’s accepting incoming TCP connections from other RPC clients on any external address, both IPv4 and IPv6, from any port and over any network interface. We see similar for SSH, and that Exim is listening locally for traffic from the loopback interface, as shown by the `127.0.0.1` address. - -#### UDP - -UDP sockets are _[stateless][14]_, meaning they are either open or closed and every process’s connection is independent of those which occurred before and after. This is in contrast to TCP connection states such as _LISTEN_, _ESTABLISHED_ and _CLOSE_WAIT_. - -Our netstat output shows that NTPdate is: 1) accepting incoming connections on the Linode’s public IP address; 2) communicates over localhost; and 3) accepts connections from external sources. These are over port 123, and both IPv4 and IPv6\. We also see more sockets open for RPC. - -### Determine Which Services to Remove - -If you were to do a basic TCP and UDP [nmap][22] scan of your Linode without a firewall enabled, SSH, RPC and NTPdate would be present in the result with ports open. By [configuring a firewall][23] you can filter those ports, with the exception of SSH because it must allow your incoming connections. Ideally, however, the unused services should be disabled. - -* You will likely be administering your server primarily through an SSH connection, so that service needs to stay. As mentioned above, [RSA keys][8] and [Fail2Ban][9] can help protect SSH. - -* NTP is necessary for your server’s timekeeping but there are alternatives to NTPdate. If you prefer a time synchronization method which does not hold open network ports, and you do not need nanosecond accuracy, then you may be interested in replacing NTPdate with [OpenNTPD][10]. - -* Exim and RPC, however, are unnecessary unless you have a specific use for them, and should be removed. - -> This section focused on Debian 8\. Different Linux distributions have different services enabled by default. If you are unsure of what a service does, do an internet search to understand what it is before attempting to remove or disable it. - -### Uninstall the Listening Services - -How to remove the offending packages will differ depending on your distribution’s package manager. - -**Arch** - -``` -sudo pacman -Rs package_name -``` - -**CentOS** - - -``` -sudo yum remove package_name -``` - - -**Debian / Ubuntu** - -``` -sudo apt-get purge package_name -``` - -**Fedora** - - -``` -sudo dnf remove package_name -``` - -Run `sudo netstat -tulpn` again. You should now only see listening services for SSH (sshd) and NTP (ntpdate, network time protocol). - -### Configure a Firewall - -Using a _firewall_ to block unwanted inbound traffic to your Linode provides a highly effective security layer. By being very specific about the traffic you allow in, you can prevent intrusions and network mapping. A best practice is to allow only the traffic you need, and deny everything else. See our documentation on some of the most common firewall applications: - -* [Iptables][11] is the controller for netfilter, the Linux kernel’s packet filtering framework. Iptables is included in most Linux distributions by default. - -* [FirewallD][12] is the iptables controller available for the CentOS / Fedora family of distributions. - -* [UFW][13] provides an iptables frontend for Debian and Ubuntu. - -### Next Steps - -These are the most basic steps to harden any Linux server, but further security layers will depend on its intended use. Additional techniques can include application configurations, using [intrusion detection][24] or installing a form of [access control][25]. - -Now you can begin setting up your Linode for any purpose you choose. We have a library of documentation to assist you with a variety of topics ranging from [migration from shared hosting][26] to [enabling two-factor authentication][27] to [hosting a website][28]. - --------------------------------------------------------------------------------- - -via: https://www.linode.com/docs/security/securing-your-server/ - -作者:[Phil Zona ][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.linode.com/docs/security/securing-your-server/ -[1]:http://winscp.net/ -[2]:https://fedoraproject.org/wiki/AutoUpdates#Fedora_21_or_earlier_versions -[3]:https://help.ubuntu.com/lts/serverguide/automatic-updates.html -[4]:https://dnf.readthedocs.org/en/latest/automatic.html -[5]:http://brew.sh/ -[6]:https://www.linode.com/docs/security/use-public-key-authentication-with-ssh#windows-operating-system -[7]:https://www.linode.com/docs/tools-reference/modify-file-permissions-with-chmod -[8]:https://www.linode.com/docs/security/securing-your-server/#create-an-authentication-key-pair -[9]:https://www.linode.com/docs/security/securing-your-server/#use-fail2ban-for-ssh-login-protection -[10]:https://en.wikipedia.org/wiki/OpenNTPD -[11]:https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables -[12]:https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos -[13]:https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw -[14]:https://en.wikipedia.org/wiki/Stateless_protocol -[15]:https://fedoraproject.org/wiki/AutoUpdates#Why_use_Automatic_updates.3F -[16]:https://www.linode.com/docs/getting-started#logging-in-for-the-first-time -[17]:http://www.fail2ban.org/wiki/index.php/Main_Page -[18]:https://www.linode.com/docs/security/using-fail2ban-for-security -[19]:https://en.wikipedia.org/wiki/Open_Network_Computing_Remote_Procedure_Call -[20]:http://support.ntp.org/bin/view/Main/SoftwareDownloads -[21]:http://www.exim.org/ -[22]:https://nmap.org/ -[23]:https://www.linode.com/docs/security/securing-your-server/#configure-a-firewall -[24]:https://linode.com/docs/security/ossec-ids-debian-7 -[25]:https://en.wikipedia.org/wiki/Access_control#Access_Control -[26]:https://www.linode.com/docs/migrate-to-linode/migrate-from-shared-hosting -[27]:https://www.linode.com/docs/security/linode-manager-security-controls -[28]:https://www.linode.com/docs/websites/hosting-a-website diff --git a/translated/tech/20160516 Securing Your Server.md b/translated/tech/20160516 Securing Your Server.md new file mode 100644 index 0000000000..367c5583ef --- /dev/null +++ b/translated/tech/20160516 Securing Your Server.md @@ -0,0 +1,378 @@ +保护你的服务器 +============================================================ + +### 经常升级系统 + +保持最新的软件是任何操作系统可以采取的最大的安全预防措施。软件更新的范围从关键漏洞补丁到小bug的修复,许多软件漏洞实际上是在它们公开的时候修补的。 + +### 自动安全更新 + +服务器上有自动更新的参数。[Fedora的Wiki][15]上有一篇很棒的关于故障的正反两方的文章,但是如果你把它限制到安全更新,自动更新的风险将是最小的。 + +自动更新的可行性必须你自己判断,因为它归结为_你_在你的Linode上做什么。请记住,自动更新仅适用于来自仓库的包,而不是自编译的程序。你可能会发现一个复制了生产服务器的测试环境是很值得的。可以在测试环境更新并在部署到生产环境之前检查问题。 + +* CentOS使用_[yum-cron][2]_进行自动更新。 + +* Debian和Ubuntu使用_[无人值守升级][3]_。 + +* Fedora使用_[dnf-automatic][4]_。 + +### 添加一个受限用户账户 + +到目前为止,你已经作为`root`用户访问了你的Linode,它有无限的权限,可以执行_任何_命令 - 甚至可能意外中断你的服务器。 我们建议创建有限权限的用户帐户,并始终使用它。 管理任务使用`sudo`来完成,它可以临时提升用户的权限,以便管理你的服务器。 + +>不是所有的Linux发行版都在系统上默认包含`sudo`,但Linode提供的所有镜像都在其软件包仓库中有sudo。 如果得到输出`sudo:command not found`,请在继续之前安装sudo。 + +要添加新用户,首先通过SSH[登录到你的Linode][16]。 + +### CentOS / Fedora + +1. 创建用户,用你想要的名字替换`example_user`,并分配一个密码: + +``` + useradd example_user && passwd example_user +``` + +2. 将用户添加到具有sudo权限的`wheel`组: + +``` + usermod -aG wheel example_user +``` + +### Ubuntu + +1. 创建用户,用你想要的名字替换`example_user`。你将被要求输入用户密码: + +``` + adduser example_user +``` + +2. 添加用户到`sudo`组,这样你就有管理员权限了: + + +``` + adduser example_user sudo +``` + +### Debian + +1. Debian默认的包中没有`sudo`, 使用`apt-get`来安装: + + +``` + apt-get install sudo +``` + +2. 创建用户,用你想要的名字替换`example_user`。你将被要求输入用户密码: + +``` + adduser example_user +``` + +3. 添加用户到`sudo`组,这样你就有管理员权限了: + +``` + adduser example_user sudo +``` + +创建完有限权限的用户后,断开你的Linode: + +``` +exit +``` + +重新用你的新用户登录。用你的用户名代替`example_user`,用你的IP地址代替例子中的IP地址: + +``` +ssh example_user@203.0.113.10 +``` + +现在你可以用你的新用户帐户管理你的Linode,而不是`root`。 几乎所有超级用户命令都可以用`sudo`(例如:`sudo iptables -L -nv`)来执行,这些命令将被记录到/var/log/auth.log中。 + +### 加固SSH访问 + +默认情况下,密码认证用于通过SSH连接到您的Linode。加密密钥对更安全,因为用私钥代替了密码,这通常更难以暴力破解。在本节中,我们将创建一个密钥对,并将Linode配置为不接受SSH密码登录。 + +###创建验证密钥对 + +1.这是在你本机上完成的,**不是**你的Linode,这里将创建一个4096位的RSA密钥对。在创建过程中,您可以选择使用密码加密私钥。这意味着它不能在没有输入密码的情况下使用,除非将其保存到本机桌面的密钥管理器中。我们建议您使用带有密码的密钥对,但如果你不想使用密码,则可以将此字段留空。 + +    ** Linux / OS X ** + +    >如果你已经创建了RSA密钥对,则用这个命令将覆盖它,这可能会不能访问其他系统。如果你已创建密钥对,请跳过此步骤。要检查现有的密钥,请运行`ls〜/ .ssh / id_rsa *`。 + +``` + ssh-keygen -b 4096 +``` + + 在输入密码之前,按下** 回车 **在`/home/your_username/.ssh`中使用默认名称`id_rsa`和`id_rsa.pub`。 + + **Windows** + + 这可以使用PuTTY完成,在我们指南中已有描述:[使用SSH公钥验证][6]。 + +2.将公钥上传到您的Linode上。 将`example_user`替换为管理服务器的用户的名称,将`203.0.113.10`替换为你的Linode的IP地址。 + + **Linux** + + 在本机上: + +``` + ssh-copy-id example_user@203.0.113.10 +``` + + **OS X** + + 在你的Linode上(用你的有限权限用户登录): + +``` + mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/ +``` + + 在本机上: + +``` + scp ~/.ssh/id_rsa.pub example_user@203.0.113.10:~/.ssh/authorized_keys +``` + + > 如果对于scp你更喜欢`ssh-copy-id`,那么它可以在[Homebrew][5]中找到。使用`brew install ssh-copy-id`安装。 + + **Windows** + + * **选择1 **:使用[WinSCP][1]来完成。 在登录窗口中,输入你的Linode的IP地址作为主机名,以及非root的用户名和密码。单击_登录_连接。 + +         一旦WinSCP连接后,你会看到两个主要部分。 左边显示本机上的文件,右边显示Linode上的文件。 使用左侧的文件浏览器,导航到你已保存公钥的文件,选择公钥文件,然后点击上面工具栏中的_上传_。 + +         系统会提示你输入要将文件放在Linode上的路径。 将文件上传到`/home/example_user/.ssh /authorized_keys`,用你的用户名替换`example_user`。 + +     * **选择2:**将公钥直接从PuTTY键生成器复制到连接到你的Linode中(作为非root用户): + + ``` + mkdir ~/.ssh; nano ~/.ssh/authorized_keys + ``` + + + 上面命令将在文本编辑器中打开一个名为“authorized_keys”的空白文件。 将公钥复制到文本文件中,确保复制的与PuTTY生成的完全一样。 按下** CTRL + X **,然后按下** Y **,然后**回车**保存文件。 + + 最后,你需要为公钥目录和密钥文件本身设置权限: + +``` + sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys +``` + + 这些命令通过阻止其他用户访问公钥目录以及文件本身来提供额外的安全性。有关它如何工作的更多信息,请参阅我们的指南[如何修改文件权限][7]。 + +3. 现在退出并重新登录你的Linode。如果你为私钥指定了密码,则需要输入密码。 + +### SSH守护进程选项 + +1. **不允许通过SSH登录。** 这需要所有SSH连接都是非root用户。一旦连接了有限权限的用户帐户,可以通过使用`sudo`或使用`su -`改为root shell来使用管理员权限。 + +``` + # Authentication: + ... + PermitRootLogin no +``` + + +2. **禁用SSH密码认证。** 这要求所有通过SSH连接的用户使用密钥认证。根据Linux发行版,它可能需要添加`PasswordAuthentication`这行,或者删除前面的“#”来取消注释。 + + +``` + # Change to no to disable tunnelled clear text passwords + PasswordAuthentication no +``` + + > 如果你从许多不同的计算机连接到Linode,你可能想要启用密码验证。这将允许你使用密码进行身份验证,而不是为每个设备生成和上传密钥对。 + +3. **只监听一个互联网协议。** 在默认情况下,SSH守护进程同时监听IPv4和IPv6上的传入连接。除非你需要使用这两种协议进入你的Linode,否则就禁用你不需要的。 _这不会禁用系统范围的协议,它只用于SSH守护进程。_ + + 使用选项: + + * `AddressFamily inet` 只监听IPv4。 + * `AddressFamily inet6` 只监听IPv6。 + + 默认情况下,`AddressFamily`选项通常不在`sshd_config`文件中。将它添加到文件的末尾: + +``` + echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config +``` + + +4. 重新启动SSH服务以加载新配置。 + + 如果你使用的Linux发行版使用systemd(CentOS 7、Debian 8、Fedora、Ubuntu 15.10+) +``` + sudo systemctl restart sshd +``` + + 如果您的init系统是SystemV或Upstart(CentOS 6、Debian 7、Ubuntu 14.04): + +``` + sudo service ssh restart +``` + +### 使用Fail2Ban保护SSH登录 + +[_Fail2Ban _][17]是一个应用程序,它会在太多的失败登录尝试后禁止IP地址登录到你的服务器。由于合法登录通常只需要三次尝试成功(如果使用SSH密钥,那不会不超过一个),因此如果服务器充满了登录失败的请求那就表示有恶意访问。 + +Fail2Ban可以监视各种协议,包括SSH、HTTP和SMTP。默认情况下,Fail2Ban仅监视SSH,并且对任何服务器都是有帮助的安全威慑,因为SSH守护程序通常配置为持续运行并监听来自任何远程IP地址的连接。 + +有关安装和配置Fail2Ban的完整说明,请参阅我们的指南:[使用Fail2ban保护服务器][18]。 + +### 删除未使用的面向网络的服务 + +大多数Linux发行版都安装并运行了网络服务,监听来自互联网,回环接口或两者的组合的传入连接。 将不需要的面向网络的服务从系统中删除,以减少运行进程和对已安装软件包攻击的概率。 + +### 查明运行的服务 + +要查看Linode中运行的服务: + +``` +sudo netstat -tulpn +``` + + +> 如果默认情况下netstat不包含在你的Linux发行版中,请安装软件包`net-tools`或使用`ss -tulpn`命令。 + +以下是netstat的输出示例。 请注意,因为默认情况下不同发行版会运行不同的服务,你的输出将有所不同: + + +``` +Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name +tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 7315/rpcbind +tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3277/sshd +tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3179/exim4 +tcp 0 0 0.0.0.0:42526 0.0.0.0:* LISTEN 2845/rpc.statd +tcp6 0 0 :::48745 :::* LISTEN 2845/rpc.statd +tcp6 0 0 :::111 :::* LISTEN 7315/rpcbind +tcp6 0 0 :::22 :::* LISTEN 3277/sshd +tcp6 0 0 ::1:25 :::* LISTEN 3179/exim4 +udp 0 0 127.0.0.1:901 0.0.0.0:* 2845/rpc.statd +udp 0 0 0.0.0.0:47663 0.0.0.0:* 2845/rpc.statd +udp 0 0 0.0.0.0:111 0.0.0.0:* 7315/rpcbind +udp 0 0 192.0.2.1:123 0.0.0.0:* 3327/ntpd +udp 0 0 127.0.0.1:123 0.0.0.0:* 3327/ntpd +udp 0 0 0.0.0.0:123 0.0.0.0:* 3327/ntpd +udp 0 0 0.0.0.0:705 0.0.0.0:* 7315/rpcbind +udp6 0 0 :::111 :::* 7315/rpcbind +udp6 0 0 fe80::f03c:91ff:fec:123 :::* 3327/ntpd +udp6 0 0 2001:DB8::123 :::* 3327/ntpd +udp6 0 0 ::1:123 :::* 3327/ntpd +udp6 0 0 :::123 :::* 3327/ntpd +udp6 0 0 :::705 :::* 7315/rpcbind +udp6 0 0 :::60671 :::* 2845/rpc.statd +``` + +netstat告诉我们服务正在运行[远程过程调用][19](rpc.statd和rpcbind)、SSH(sshd)、[NTPdate][20](ntpd)和[Exim][21](exim4)。 + +#### TCP + +请参阅netstat输出的** Local Address **哪列。进程`rpcbind`正在侦听`0.0.0.0:111`和`:::111`,外部地址是 `0.0.0.0:*`或者`:::*`。这意味着它从任何端口和任何网络接口接受来自任何外部地址(IPv4和IPv6)上的其他RPC客户端的传入TCP连接。 我们看到类似的SSH,Exim正在侦听来自回环接口的流量,如所示的`127.0.0.1`地址。 + +#### UDP + +UDP套接字是_[无状态][14]_的,这意味着它们只有打开或关闭,并且每个进程的连接独立于前后发生的连接。这与TCP的连接状态(例如_LISTEN_,_ESTABLISHED_和_CLOSE_WAIT_)形成对比。 + +我们的netstat输出说明NTPdate:1)接受Linode的公共IP地址的传入连接; 2)通过本地主机进行通信; 3)接受来自外部的连接。这些是通过端口123,同时支持IPv4和IPv6。我们还看到了更多的RPC套接字。 + +### 查明该移除哪个服务 + +如果你在没有启用防火墙的情况下对Linode进行基本的TCP和UDP的[nmap][22]扫描,那么在打开端口的结果中将出现SSH、RPC和NTPdate。通过[配置防火墙][23],你可以过滤掉这些端口,但SSH除外,因为它必须允许你的传入连接。但是,理想情况下,应该禁用未使用的服务。 + +* 你可能主要通过SSH连接管理你的服务器,所以让这个服务需要保留。如上所述,[RSA密钥][8]和[Fail2Ban][9]可以帮助保护SSH。 + +* NTP是服务器计时所必需的,但有NTPdate的替代方法。如果你喜欢不开放网络端口的时间同步方法,并且你不需要纳秒精度,那么你可能有兴趣用[OpenNTPD][10]来代替NTPdate。 + +* 然而,Exim和RPC是不必要的,除非你有特定的用途,否则应该删除它们。 + +> 本节重点介绍Debian 8。默认情况下,不同的Linux发行版具有不同的服务。如果你不确定某项服务的功能,请尝试搜索互联网以了解该功能是什么,然后再尝试删除或禁用它。 + +### 卸载监听的服务 + +如何移除包取决于发行版的包管理器: + +**Arch** + +``` +sudo pacman -Rs package_name +``` + +**CentOS** + + +``` +sudo yum remove package_name +``` + + +**Debian / Ubuntu** + +``` +sudo apt-get purge package_name +``` + +**Fedora** + + +``` +sudo dnf remove package_name +``` + +再次运行`sudo netstat -tulpn`,你看到监听的服务就只会有SSH(sshd)和NTP(ntpdate,网络时间协议) + +### 配置防火墙 + +使用_防火墙_阻止不需要的入站流量能为你的Linode提供一个高效的安全层。 通过指定入站流量,你可以阻止入侵和网络映射。 最佳做法是只允许你需要的流量,并拒绝一切其他流量。请参阅我们的一些关于最常见的防火墙程序的文档: + +* [iptables][11]是netfilter的控制器,它是Linux内核的包过滤框架。 默认情况下,iptables包含在大多数Linux发行版中。 + +* [firewallD][12]是可用于CentOS/Fedora系列发行版的iptables控制器。 + +* [UFW][13]为Debian和Ubuntu提供了一个iptables前端。 + +### 接下来 + +这些是加固Linux服务器的最基本步骤,但是进一步的安全层将取决于其预期用途。 其他技术可以包括应用程序配置,使用[入侵检测][24]或者安装某个形式的[访问控制][25]。 + +现在你可以按你的需求开始设置你的Linode了。 我们有一个文档库来以帮助你从[从共享主机迁移][26]到[启用两步验证][27]到[托管网站] [28]等各种主题。 + +-------------------------------------------------------------------------------- + +via: https://www.linode.com/docs/security/securing-your-server/ + +作者:[Phil Zona ][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linode.com/docs/security/securing-your-server/ +[1]:http://winscp.net/ +[2]:https://fedoraproject.org/wiki/AutoUpdates#Fedora_21_or_earlier_versions +[3]:https://help.ubuntu.com/lts/serverguide/automatic-updates.html +[4]:https://dnf.readthedocs.org/en/latest/automatic.html +[5]:http://brew.sh/ +[6]:https://www.linode.com/docs/security/use-public-key-authentication-with-ssh#windows-operating-system +[7]:https://www.linode.com/docs/tools-reference/modify-file-permissions-with-chmod +[8]:https://www.linode.com/docs/security/securing-your-server/#create-an-authentication-key-pair +[9]:https://www.linode.com/docs/security/securing-your-server/#use-fail2ban-for-ssh-login-protection +[10]:https://en.wikipedia.org/wiki/OpenNTPD +[11]:https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables +[12]:https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos +[13]:https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw +[14]:https://en.wikipedia.org/wiki/Stateless_protocol +[15]:https://fedoraproject.org/wiki/AutoUpdates#Why_use_Automatic_updates.3F +[16]:https://www.linode.com/docs/getting-started#logging-in-for-the-first-time +[17]:http://www.fail2ban.org/wiki/index.php/Main_Page +[18]:https://www.linode.com/docs/security/using-fail2ban-for-security +[19]:https://en.wikipedia.org/wiki/Open_Network_Computing_Remote_Procedure_Call +[20]:http://support.ntp.org/bin/view/Main/SoftwareDownloads +[21]:http://www.exim.org/ +[22]:https://nmap.org/ +[23]:https://www.linode.com/docs/security/securing-your-server/#configure-a-firewall +[24]:https://linode.com/docs/security/ossec-ids-debian-7 +[25]:https://en.wikipedia.org/wiki/Access_control#Access_Control +[26]:https://www.linode.com/docs/migrate-to-linode/migrate-from-shared-hosting +[27]:https://www.linode.com/docs/security/linode-manager-security-controls +[28]:https://www.linode.com/docs/websites/hosting-a-website From f9b23a8bac46676f6a693952f87de7ff4ff8b98d Mon Sep 17 00:00:00 2001 From: GHLandy Date: Thu, 29 Dec 2016 12:56:28 +0000 Subject: [PATCH 100/181] =?UTF-8?q?[=E5=AE=8C=E6=88=90=E7=BF=BB=E8=AF=91]?= =?UTF-8?q?=20How=20to=20check=20if=20port=20is=20in=20use=20on=20Linux=20?= =?UTF-8?q?or=20Unix?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...heck if port is in use on Linux or Unix.md | 127 ------------------ ...heck if port is in use on Linux or Unix.md | 119 ++++++++++++++++ 2 files changed, 119 insertions(+), 127 deletions(-) delete mode 100644 sources/tech/20161110 How to check if port is in use on Linux or Unix.md create mode 100644 translated/tech/20161110 How to check if port is in use on Linux or Unix.md diff --git a/sources/tech/20161110 How to check if port is in use on Linux or Unix.md b/sources/tech/20161110 How to check if port is in use on Linux or Unix.md deleted file mode 100644 index 50b4b34ac3..0000000000 --- a/sources/tech/20161110 How to check if port is in use on Linux or Unix.md +++ /dev/null @@ -1,127 +0,0 @@ -GHLandy Translating - -How to check if port is in use on Linux or Unix -============================================================ - -[ - ![](https://s0.cyberciti.org/images/category/old/linux-logo.png) -][1] - -How do I determine if a port is in use under Linux or Unix-like system? How can I verify which ports are listening on Linux server? - -It is important you verify which ports are listing on the server’s network interfaces. You need to pay attention to open ports to detect an intrusion. Apart from an intrusion, for troubleshooting purposes, it may be necessary to check if a port is already in use by a different application on your servers. For example, you may install Apache and Nginx server on the same system. So it is necessary to know if Apache or Nginx is using TCP port # 80/443\. This quick tutorial provides steps to use the netstat, nmap and lsof command to check the ports in use and view the application that is utilizing the port. - -### How to check the listening ports and applications on Linux: - -1. Open a terminal application i.e. shell prompt. -2. Run any one of the following command: - - ``` - sudo lsof -i -P -n | grep LISTEN - sudo netstat -tulpn | grep LISTEN - sudo nmap -sTU -O IP-address-Here - ``` - -Let us see commands and its output in details. - -### Option #1: lsof command - -The syntax is: - -``` -$ sudo lsof -i -P -n -$ sudo lsof -i -P -n | grep LISTEN -$ doas lsof -i -P -n | grep LISTEN -``` - -### [OpenBSD] ### - -Sample outputs: - -[ - ![Fig.01: Check the listening ports and applications with lsof command](https://s0.cyberciti.org/uploads/faq/2016/11/lsof-outputs.png) -][2] - -Fig.01: Check the listening ports and applications with lsof command - -Consider the last line from above outputs: - -``` -sshd 85379 root 3u IPv4 0xffff80000039e000 0t0 TCP 10.86.128.138:22 (LISTEN) -``` - -- sshd is the name of the application. -- 10.86.128.138 is the IP address to which sshd application bind to (LISTEN) -- 22 is the TCP port that is being used (LISTEN) -- 85379 is the process ID of the sshd process - -### Option #2: netstat command - -You can check the listening ports and applications with netstat as follows. - -### Linux netstat syntax - -``` -$ netstat -tulpn | grep LISTEN -``` - -### FreeBSD/MacOS X netstat syntax - -``` -$ netstat -anp tcp | grep LISTEN -$ netstat -anp udp | grep LISTEN -``` - -### OpenBSD netstat syntax - -```` -$ netstat -na -f inet | grep LISTEN -$ netstat -nat | grep LISTEN -``` - -### Option #3: nmap command - -The syntax is: - -``` -$ sudo nmap -sT -O localhost -$ sudo nmap -sU -O 192.168.2.13 ##[ list open UDP ports ]## -$ sudo nmap -sT -O 192.168.2.13 ##[ list open TCP ports ]## -``` - -Sample outputs: - -[ - ![Fig.02: Determines which ports are listening for TCP connections using nmap](https://s0.cyberciti.org/uploads/faq/2016/11/nmap-outputs.png) -][3] - -Fig.02: Determines which ports are listening for TCP connections using nmap - -You can combine TCP/UDP scan in a single command: - -`$ sudo nmap -sTU -O 192.168.2.13` - -### A note about Windows users - -You can check port usage from Windows operating system using following command: - -``` -netstat -bano | more -netstat -bano | grep LISTENING -netstat -bano | findstr /R /C:"[LISTING]" -```` - --------------------------------------------------------------------------------- - -via: https://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/ - -作者:[ VIVEK GITE][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/ -[1]:https://www.cyberciti.biz/faq/category/linux/ -[2]:http://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/lsof-outputs/ -[3]:http://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/nmap-outputs/ diff --git a/translated/tech/20161110 How to check if port is in use on Linux or Unix.md b/translated/tech/20161110 How to check if port is in use on Linux or Unix.md new file mode 100644 index 0000000000..8a83a45864 --- /dev/null +++ b/translated/tech/20161110 How to check if port is in use on Linux or Unix.md @@ -0,0 +1,119 @@ +如何在 \*nix 系统中验证端口是否被占用 +========== + +[![](https://s0.cyberciti.org/images/category/old/linux-logo.png)][1] + +在 Linux 或者类 Unix 中,我该如何检查某个端口是否被占用?我又该如何验证 Linux 服务器中有哪些端口处于监听状态? + +验证哪些端口在服务器的网络接口上处于监听状态是非常重要的。你需要注意那些用于监听指令的开放端口。暂且不说那些用于排除故障的指令,确认服务器上的某个端口是否被其他应用程序占用也是必要的。比方说,你可能会在同一个系统中安装了 Apache 和 Nginx 服务,所以了解是 Apache 还是 Nginx 占用 # 80/443 TCP端口真的很重要。本文会提及使用 netstat、nmap 和 lsof 命令来检查端口是否被占用以及查看程序使用了那些端口。 + +### 如何检查 Linux 中的监听端口和程序 + +1. 打开一个终端,如 shell 命令窗口。 +2. 运行一下任意一行命令: + + ``` + sudo lsof -i -P -n | grep LISTEN + sudo netstat -tulpn | grep LISTEN + sudo nmap -sTU -O IP-address-Here + ``` + +下面我们看看这些命令输出的详细内容: + +### 选择 #1:lsof 命令 + +语法如下: + +``` +$ sudo lsof -i -P -n +$ sudo lsof -i -P -n | grep LISTEN +$ doas lsof -i -P -n | grep LISTEN +``` + +### [OpenBSD] ### + +输出如下: + +[![Fig.01: Check the listening ports and applications with lsof command](https://s0.cyberciti.org/uploads/faq/2016/11/lsof-outputs.png)][2] + +图 1:使用 lsof 命令检查监听端口和程序 + +如上图输出的最后一行: + +``` +sshd 85379 root 3u IPv4 0xffff80000039e000 0t0 TCP 10.86.128.138:22 (LISTEN) +``` + +- sshd 是程序的名称 +- 10.86.128.138 是 sshd 程序绑定监听 (LISTEN) 的 IP 地址 +- 22 是被占用 (LISTEN) 的 TCP 端口 +- 85379 是 sshd 进程的进程 ID (PID) + +### 选择 #2:netstat 命令 + +netstat 命令检查监听端口和程序的用法如下: + +### Linux 中 netstat 语法如下: + +``` +$ netstat -tulpn | grep LISTEN +``` + +### FreeBSD/MacOS X 中 netstat 语法如下: + +``` +$ netstat -anp tcp | grep LISTEN +$ netstat -anp udp | grep LISTEN +``` + +### OpenBSD 中 netstat 语法如下: + +``` +$ netstat -na -f inet | grep LISTEN +$ netstat -nat | grep LISTEN +``` + +### 选择 #3:nmap 命令 + +语法如下: + +``` +$ sudo nmap -sT -O localhost +$ sudo nmap -sU -O 192.168.2.13 ##[ list open UDP ports ]## +$ sudo nmap -sT -O 192.168.2.13 ##[ list open TCP ports ]## +``` + +输出如下: + +[![Fig.02: Determines which ports are listening for TCP connections using nmap](https://s0.cyberciti.org/uploads/faq/2016/11/nmap-outputs.png)][3] + +图 2:使用 nmap 探测那些端口用于监听 TCP 连接 + +你可以在单个命令中同时探测 TCP/UDP 连接: + +`$ sudo nmap -sTU -O 192.168.2.13` + +### 关于 Windows 用户 + +你可以使用以下 Windows 自带的命令来检查端口的使用情况: + +``` +netstat -bano | more +netstat -bano | grep LISTENING +netstat -bano | findstr /R /C:"[LISTING]" +``` + +---------------------------------------------------- + +via: https://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/ + +作者:[ VIVEK GITE][a] +译者:[GHLandy](https://github.com/GHLandy) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/ +[1]:https://www.cyberciti.biz/faq/category/linux/ +[2]:http://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/lsof-outputs/ +[3]:http://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/nmap-outputs/ From 884ee9c304287d6427da05e049551d8ec1617ef8 Mon Sep 17 00:00:00 2001 From: wxy Date: Fri, 30 Dec 2016 00:12:56 +0800 Subject: [PATCH 101/181] PROOF:20160516 Securing Your Server MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @geekpi 可以参照中文排版指北,注意一下排版,注意是中文和英文中间的空格。 --- .../tech/20160516 Securing Your Server.md | 251 +++++++++--------- 1 file changed, 119 insertions(+), 132 deletions(-) diff --git a/translated/tech/20160516 Securing Your Server.md b/translated/tech/20160516 Securing Your Server.md index 367c5583ef..13a4e6568a 100644 --- a/translated/tech/20160516 Securing Your Server.md +++ b/translated/tech/20160516 Securing Your Server.md @@ -1,241 +1,235 @@ -保护你的服务器 +Linux 服务器安全简明指南 ============================================================ +现在让我们强化你的服务器以防止未授权访问。 + ### 经常升级系统 -保持最新的软件是任何操作系统可以采取的最大的安全预防措施。软件更新的范围从关键漏洞补丁到小bug的修复,许多软件漏洞实际上是在它们公开的时候修补的。 +保持最新的软件是你可以在任何操作系统上采取的最大的安全预防措施。软件更新的范围从关键漏洞补丁到小 bug 的修复,许多软件漏洞实际上是在它们被公开的时候得到修补的。 ### 自动安全更新 -服务器上有自动更新的参数。[Fedora的Wiki][15]上有一篇很棒的关于故障的正反两方的文章,但是如果你把它限制到安全更新,自动更新的风险将是最小的。 +有一些用于服务器上自动更新的参数。[Fedora 的 Wiki][15] 上有一篇很棒的剖析自动更新的利弊的文章,但是如果你把它限制到安全更新上,自动更新的风险将是最小的。 -自动更新的可行性必须你自己判断,因为它归结为_你_在你的Linode上做什么。请记住,自动更新仅适用于来自仓库的包,而不是自编译的程序。你可能会发现一个复制了生产服务器的测试环境是很值得的。可以在测试环境更新并在部署到生产环境之前检查问题。 +自动更新的可行性必须你自己判断,因为它归结为**你**在你的服务器上做什么。请记住,自动更新仅适用于来自仓库的包,而不是自行编译的程序。你可能会发现一个复制了生产服务器的测试环境是很有必要的。可以在部署到生产环境之前,在测试环境里面更新来检查问题。 -* CentOS使用_[yum-cron][2]_进行自动更新。 - -* Debian和Ubuntu使用_[无人值守升级][3]_。 - -* Fedora使用_[dnf-automatic][4]_。 +* CentOS 使用 [yum-cron][2] 进行自动更新。 +* Debian 和 Ubuntu 使用 [无人值守升级][3]。 +* Fedora 使用 [dnf-automatic][4]。 ### 添加一个受限用户账户 -到目前为止,你已经作为`root`用户访问了你的Linode,它有无限的权限,可以执行_任何_命令 - 甚至可能意外中断你的服务器。 我们建议创建有限权限的用户帐户,并始终使用它。 管理任务使用`sudo`来完成,它可以临时提升用户的权限,以便管理你的服务器。 +到目前为止,你已经作为 `root` 用户访问了你的服务器,它有无限制的权限,可以执行**任何**命令 - 甚至可能意外中断你的服务器。 我们建议创建一个受限用户帐户,并始终使用它。 管理任务应该使用 `sudo` 来完成,它可以临时提升受限用户的权限,以便管理你的服务器。 ->不是所有的Linux发行版都在系统上默认包含`sudo`,但Linode提供的所有镜像都在其软件包仓库中有sudo。 如果得到输出`sudo:command not found`,请在继续之前安装sudo。 +> 不是所有的 Linux 发行版都在系统上默认包含 `sudo`,但大多数都在其软件包仓库中有 `sudo`。 如果得到这样的输出 `sudo:command not found`,请在继续之前安装 `sudo`。 -要添加新用户,首先通过SSH[登录到你的Linode][16]。 +要添加新用户,首先通过 SSH [登录到你的服务器][16]。 -### CentOS / Fedora +#### CentOS / Fedora -1. 创建用户,用你想要的名字替换`example_user`,并分配一个密码: +1、 创建用户,用你想要的名字替换 `example_user`,并分配一个密码: ``` - useradd example_user && passwd example_user +useradd example_user && passwd example_user ``` -2. 将用户添加到具有sudo权限的`wheel`组: +2、 将用户添加到具有 sudo 权限的 `wheel` 组: ``` - usermod -aG wheel example_user +usermod -aG wheel example_user ``` -### Ubuntu +#### Ubuntu -1. 创建用户,用你想要的名字替换`example_user`。你将被要求输入用户密码: +1、 创建用户,用你想要的名字替换 `example_user`。你将被要求输入用户密码: ``` - adduser example_user +adduser example_user ``` -2. 添加用户到`sudo`组,这样你就有管理员权限了: - +2、 添加用户到 `sudo` 组,这样你就有管理员权限了: ``` - adduser example_user sudo +adduser example_user sudo ``` -### Debian - -1. Debian默认的包中没有`sudo`, 使用`apt-get`来安装: +#### Debian +1、 Debian 默认的包中没有 `sudo`, 使用 `apt-get` 来安装: ``` - apt-get install sudo +apt-get install sudo ``` -2. 创建用户,用你想要的名字替换`example_user`。你将被要求输入用户密码: +2、 创建用户,用你想要的名字替换 `example_user`。你将被要求输入用户密码: ``` - adduser example_user +adduser example_user ``` -3. 添加用户到`sudo`组,这样你就有管理员权限了: +3、 添加用户到 `sudo` 组,这样你就有管理员权限了: ``` - adduser example_user sudo +adduser example_user sudo ``` -创建完有限权限的用户后,断开你的Linode: +创建完有限权限的用户后,断开你的服务器连接: ``` exit ``` -重新用你的新用户登录。用你的用户名代替`example_user`,用你的IP地址代替例子中的IP地址: +重新用你的新用户登录。用你的用户名代替 `example_user`,用你的服务器 IP 地址代替例子中的 IP 地址: ``` ssh example_user@203.0.113.10 ``` -现在你可以用你的新用户帐户管理你的Linode,而不是`root`。 几乎所有超级用户命令都可以用`sudo`(例如:`sudo iptables -L -nv`)来执行,这些命令将被记录到/var/log/auth.log中。 +现在你可以用你的新用户帐户管理你的服务器,而不是 `root`。 几乎所有超级用户命令都可以用 `sudo`(例如:`sudo iptables -L -nv`)来执行,这些命令将被记录到 `/var/log/auth.log` 中。 -### 加固SSH访问 +### 加固 SSH 访问 -默认情况下,密码认证用于通过SSH连接到您的Linode。加密密钥对更安全,因为用私钥代替了密码,这通常更难以暴力破解。在本节中,我们将创建一个密钥对,并将Linode配置为不接受SSH密码登录。 +默认情况下,密码认证用于通过 SSH 连接到您的服务器。加密密钥对更加安全,因为它用私钥代替了密码,这通常更难以暴力破解。在本节中,我们将创建一个密钥对,并将服务器配置为不接受 SSH 密码登录。 -###创建验证密钥对 +#### 创建验证密钥对 -1.这是在你本机上完成的,**不是**你的Linode,这里将创建一个4096位的RSA密钥对。在创建过程中,您可以选择使用密码加密私钥。这意味着它不能在没有输入密码的情况下使用,除非将其保存到本机桌面的密钥管理器中。我们建议您使用带有密码的密钥对,但如果你不想使用密码,则可以将此字段留空。 +1、这是在你本机上完成的,**不是**在你的服务器上,这里将创建一个 4096 位的 RSA 密钥对。在创建过程中,您可以选择使用密码加密私钥。这意味着它不能在没有输入密码的情况下使用,除非将密码保存到本机桌面的密钥管理器中。我们建议您使用带有密码的密钥对,但如果你不想使用密码,则可以将此字段留空。 -    ** Linux / OS X ** +**Linux / OS X** -    >如果你已经创建了RSA密钥对,则用这个命令将覆盖它,这可能会不能访问其他系统。如果你已创建密钥对,请跳过此步骤。要检查现有的密钥,请运行`ls〜/ .ssh / id_rsa *`。 +> 如果你已经创建了 RSA 密钥对,则这个命令将会覆盖它,这可能会导致你不能访问其它的操作系统。如果你已创建过密钥对,请跳过此步骤。要检查现有的密钥,请运行 `ls〜/ .ssh / id_rsa *`。 ``` - ssh-keygen -b 4096 +ssh-keygen -b 4096 ``` - 在输入密码之前,按下** 回车 **在`/home/your_username/.ssh`中使用默认名称`id_rsa`和`id_rsa.pub`。 +在输入密码之前,按下 **回车**使用 `/home/your_username/.ssh` 中的默认名称 `id_rsa` 和 `id_rsa.pub`。 - **Windows** +**Windows** - 这可以使用PuTTY完成,在我们指南中已有描述:[使用SSH公钥验证][6]。 +这可以使用 PuTTY 完成,在我们指南中已有描述:[使用 SSH 公钥验证][6]。 -2.将公钥上传到您的Linode上。 将`example_user`替换为管理服务器的用户的名称,将`203.0.113.10`替换为你的Linode的IP地址。 +2、将公钥上传到您的服务器上。 将 `example_user` 替换为你用来管理服务器的用户名称,将 `203.0.113.10` 替换为你的服务器的 IP 地址。 - **Linux** +**Linux** - 在本机上: +在本机上: ``` - ssh-copy-id example_user@203.0.113.10 +ssh-copy-id example_user@203.0.113.10 ``` - **OS X** +**OS X** - 在你的Linode上(用你的有限权限用户登录): +在你的服务器上(用你的权限受限用户登录): ``` - mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/ +mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/ ``` - 在本机上: +在本机上: ``` - scp ~/.ssh/id_rsa.pub example_user@203.0.113.10:~/.ssh/authorized_keys +scp ~/.ssh/id_rsa.pub example_user@203.0.113.10:~/.ssh/authorized_keys ``` - > 如果对于scp你更喜欢`ssh-copy-id`,那么它可以在[Homebrew][5]中找到。使用`brew install ssh-copy-id`安装。 +> 如果相对于 `scp` 你更喜欢 `ssh-copy-id` 的话,那么它也可以在 [Homebrew][5] 中找到。使用 `brew install ssh-copy-id` 安装。 - **Windows** +**Windows** - * **选择1 **:使用[WinSCP][1]来完成。 在登录窗口中,输入你的Linode的IP地址作为主机名,以及非root的用户名和密码。单击_登录_连接。 +* **选择 1**:使用 [WinSCP][1] 来完成。 在登录窗口中,输入你的服务器的 IP 地址作为主机名,以及非 root 的用户名和密码。单击“登录”连接。 -         一旦WinSCP连接后,你会看到两个主要部分。 左边显示本机上的文件,右边显示Linode上的文件。 使用左侧的文件浏览器,导航到你已保存公钥的文件,选择公钥文件,然后点击上面工具栏中的_上传_。 + 一旦 WinSCP 连接后,你会看到两个主要部分。 左边显示本机上的文件,右边显示服务区上的文件。 使用左侧的文件浏览器,导航到你已保存公钥的文件,选择公钥文件,然后点击上面工具栏中的“上传”。 -         系统会提示你输入要将文件放在Linode上的路径。 将文件上传到`/home/example_user/.ssh /authorized_keys`,用你的用户名替换`example_user`。 + 系统会提示你输入要将文件放在服务器上的路径。 将文件上传到 `/home/example_user/.ssh /authorized_keys`,用你的用户名替换 `example_user`。 -     * **选择2:**将公钥直接从PuTTY键生成器复制到连接到你的Linode中(作为非root用户): +* **选择 2**:将公钥直接从 PuTTY 键生成器复制到连接到你的服务器中(作为非 root 用户): ``` - mkdir ~/.ssh; nano ~/.ssh/authorized_keys + mkdir ~/.ssh; nano ~/.ssh/authorized_keys ``` - - 上面命令将在文本编辑器中打开一个名为“authorized_keys”的空白文件。 将公钥复制到文本文件中,确保复制的与PuTTY生成的完全一样。 按下** CTRL + X **,然后按下** Y **,然后**回车**保存文件。 + 上面命令将在文本编辑器中打开一个名为 `authorized_keys` 的空文件。 将公钥复制到文本文件中,确保复制为一行,与 PuTTY 所生成的完全一样。 按下 `CTRL + X`,然后按下 `Y`,然后回车保存文件。 - 最后,你需要为公钥目录和密钥文件本身设置权限: +最后,你需要为公钥目录和密钥文件本身设置权限: ``` - sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys +sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys ``` - 这些命令通过阻止其他用户访问公钥目录以及文件本身来提供额外的安全性。有关它如何工作的更多信息,请参阅我们的指南[如何修改文件权限][7]。 +这些命令通过阻止其他用户访问公钥目录以及文件本身来提供额外的安全性。有关它如何工作的更多信息,请参阅我们的指南[如何修改文件权限][7]。 -3. 现在退出并重新登录你的Linode。如果你为私钥指定了密码,则需要输入密码。 +3、 现在退出并重新登录你的服务器。如果你为私钥指定了密码,则需要输入密码。 -### SSH守护进程选项 +#### SSH 守护进程选项 -1. **不允许通过SSH登录。** 这需要所有SSH连接都是非root用户。一旦连接了有限权限的用户帐户,可以通过使用`sudo`或使用`su -`改为root shell来使用管理员权限。 +1、 **不允许 root 用户通过 SSH 登录。** 这要求所有的 SSH 连接都是通过非 root 用户进行。当以受限用户帐户连接后,可以通过使用 `sudo` 或使用 `su -` 切换为 root shell 来使用管理员权限。 ``` - # Authentication: - ... - PermitRootLogin no +# Authentication: +... +PermitRootLogin no ``` - -2. **禁用SSH密码认证。** 这要求所有通过SSH连接的用户使用密钥认证。根据Linux发行版,它可能需要添加`PasswordAuthentication`这行,或者删除前面的“#”来取消注释。 - +2、 **禁用 SSH 密码认证。** 这要求所有通过 SSH 连接的用户使用密钥认证。根据 Linux 发行版的不同,它可能需要添加 `PasswordAuthentication` 这行,或者删除前面的 `#` 来取消注释。 ``` - # Change to no to disable tunnelled clear text passwords - PasswordAuthentication no +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no ``` - > 如果你从许多不同的计算机连接到Linode,你可能想要启用密码验证。这将允许你使用密码进行身份验证,而不是为每个设备生成和上传密钥对。 +> 如果你从许多不同的计算机连接到服务器,你可能想要继续启用密码验证。这将允许你使用密码进行身份验证,而不是为每个设备生成和上传密钥对。 -3. **只监听一个互联网协议。** 在默认情况下,SSH守护进程同时监听IPv4和IPv6上的传入连接。除非你需要使用这两种协议进入你的Linode,否则就禁用你不需要的。 _这不会禁用系统范围的协议,它只用于SSH守护进程。_ +3、 **只监听一个互联网协议。** 在默认情况下,SSH 守护进程同时监听 IPv4 和 IPv6 上的传入连接。除非你需要使用这两种协议进入你的服务器,否则就禁用你不需要的。 _这不会禁用系统范围的协议,它只用于 SSH 守护进程。_ - 使用选项: +使用选项: - * `AddressFamily inet` 只监听IPv4。 - * `AddressFamily inet6` 只监听IPv6。 +* `AddressFamily inet` 只监听 IPv4。 +* `AddressFamily inet6` 只监听 IPv6。 - 默认情况下,`AddressFamily`选项通常不在`sshd_config`文件中。将它添加到文件的末尾: +默认情况下,`AddressFamily` 选项通常不在 `sshd_config` 文件中。将它添加到文件的末尾: ``` - echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config -``` - - -4. 重新启动SSH服务以加载新配置。 - - 如果你使用的Linux发行版使用systemd(CentOS 7、Debian 8、Fedora、Ubuntu 15.10+) -``` - sudo systemctl restart sshd +echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config ``` - 如果您的init系统是SystemV或Upstart(CentOS 6、Debian 7、Ubuntu 14.04): +4、 重新启动 SSH 服务以加载新配置。 + +如果你使用的 Linux 发行版使用 systemd(CentOS 7、Debian 8、Fedora、Ubuntu 15.10+) ``` - sudo service ssh restart +sudo systemctl restart sshd ``` -### 使用Fail2Ban保护SSH登录 +如果您的 init 系统是 SystemV 或 Upstart(CentOS 6、Debian 7、Ubuntu 14.04): -[_Fail2Ban _][17]是一个应用程序,它会在太多的失败登录尝试后禁止IP地址登录到你的服务器。由于合法登录通常只需要三次尝试成功(如果使用SSH密钥,那不会不超过一个),因此如果服务器充满了登录失败的请求那就表示有恶意访问。 +``` +sudo service ssh restart +``` -Fail2Ban可以监视各种协议,包括SSH、HTTP和SMTP。默认情况下,Fail2Ban仅监视SSH,并且对任何服务器都是有帮助的安全威慑,因为SSH守护程序通常配置为持续运行并监听来自任何远程IP地址的连接。 +#### 使用 Fail2Ban 保护 SSH 登录 -有关安装和配置Fail2Ban的完整说明,请参阅我们的指南:[使用Fail2ban保护服务器][18]。 +[Fail2Ban][17] 是一个应用程序,它会在太多的失败登录尝试后禁止 IP 地址登录到你的服务器。由于合法登录通常不会超过三次尝试(如果使用 SSH 密钥,那不会超过一个),因此如果服务器充满了登录失败的请求那就表示有恶意访问。 + +Fail2Ban 可以监视各种协议,包括 SSH、HTTP 和 SMTP。默认情况下,Fail2Ban 仅监视 SSH,并且因为 SSH 守护程序通常配置为持续运行并监听来自任何远程 IP 地址的连接,所以对于任何服务器都是一种安全威慑。 + +有关安装和配置 Fail2Ban 的完整说明,请参阅我们的指南:[使用 Fail2ban 保护服务器][18]。 ### 删除未使用的面向网络的服务 -大多数Linux发行版都安装并运行了网络服务,监听来自互联网,回环接口或两者的组合的传入连接。 将不需要的面向网络的服务从系统中删除,以减少运行进程和对已安装软件包攻击的概率。 +大多数 Linux 发行版都安装并运行了网络服务,监听来自互联网、回环接口或两者兼有的传入连接。 将不需要的面向网络的服务从系统中删除,以减少对运行进程和对已安装软件包攻击的概率。 -### 查明运行的服务 +#### 查明运行的服务 -要查看Linode中运行的服务: +要查看服务器中运行的服务: ``` sudo netstat -tulpn ``` +> 如果默认情况下 `netstat` 没有包含在你的 Linux 发行版中,请安装软件包 `net-tools` 或使用 `ss -tulpn` 命令。 -> 如果默认情况下netstat不包含在你的Linux发行版中,请安装软件包`net-tools`或使用`ss -tulpn`命令。 - -以下是netstat的输出示例。 请注意,因为默认情况下不同发行版会运行不同的服务,你的输出将有所不同: +以下是 `netstat` 的输出示例。 请注意,因为默认情况下不同发行版会运行不同的服务,你的输出将有所不同: ``` @@ -264,31 +258,29 @@ udp6 0 0 :::705 :::* udp6 0 0 :::60671 :::* 2845/rpc.statd ``` -netstat告诉我们服务正在运行[远程过程调用][19](rpc.statd和rpcbind)、SSH(sshd)、[NTPdate][20](ntpd)和[Exim][21](exim4)。 +`netstat` 告诉我们服务正在运行 [RPC][19](`rpc.statd` 和 `rpcbind`)、SSH(`sshd`)、[NTPdate][20](`ntpd`)和[Exim][21](`exim4`)。 -#### TCP +##### TCP -请参阅netstat输出的** Local Address **哪列。进程`rpcbind`正在侦听`0.0.0.0:111`和`:::111`,外部地址是 `0.0.0.0:*`或者`:::*`。这意味着它从任何端口和任何网络接口接受来自任何外部地址(IPv4和IPv6)上的其他RPC客户端的传入TCP连接。 我们看到类似的SSH,Exim正在侦听来自回环接口的流量,如所示的`127.0.0.1`地址。 +请参阅 `netstat` 输出的 `Local Address` 那一列。进程 `rpcbind` 正在侦听 `0.0.0.0:111` 和 `:::111`,外部地址是 `0.0.0.0:*` 或者 `:::*` 。这意味着它从任何端口和任何网络接口接受来自任何外部地址(IPv4 和 IPv6)上的其它 RPC 客户端的传入 TCP 连接。 我们看到类似的 SSH,Exim 正在侦听来自回环接口的流量,如所示的 `127.0.0.1` 地址。 -#### UDP +##### UDP -UDP套接字是_[无状态][14]_的,这意味着它们只有打开或关闭,并且每个进程的连接独立于前后发生的连接。这与TCP的连接状态(例如_LISTEN_,_ESTABLISHED_和_CLOSE_WAIT_)形成对比。 +UDP 套接字是[无状态][14]的,这意味着它们只有打开或关闭,并且每个进程的连接是独立于前后发生的连接。这与 TCP 的连接状态(例如 `LISTEN`、`ESTABLISHED`和 `CLOSE_WAIT`)形成对比。 -我们的netstat输出说明NTPdate:1)接受Linode的公共IP地址的传入连接; 2)通过本地主机进行通信; 3)接受来自外部的连接。这些是通过端口123,同时支持IPv4和IPv6。我们还看到了更多的RPC套接字。 +我们的 `netstat`输出说明 NTPdate :1)接受服务器的公网 IP 地址的传入连接;2)通过本地主机进行通信;3)接受来自外部的连接。这些连接是通过端口 123 进行的,同时支持 IPv4 和 IPv6。我们还看到了 RPC 打开的更多的套接字。 -### 查明该移除哪个服务 +#### 查明该移除哪个服务 -如果你在没有启用防火墙的情况下对Linode进行基本的TCP和UDP的[nmap][22]扫描,那么在打开端口的结果中将出现SSH、RPC和NTPdate。通过[配置防火墙][23],你可以过滤掉这些端口,但SSH除外,因为它必须允许你的传入连接。但是,理想情况下,应该禁用未使用的服务。 +如果你在没有启用防火墙的情况下对服务器进行基本的 TCP 和 UDP 的 [nmap][22] 扫描,那么在打开端口的结果中将出现 SSH、RPC 和 NTPdate 。通过[配置防火墙][23],你可以过滤掉这些端口,但 SSH 除外,因为它必须允许你的传入连接。但是,理想情况下,应该禁用未使用的服务。 -* 你可能主要通过SSH连接管理你的服务器,所以让这个服务需要保留。如上所述,[RSA密钥][8]和[Fail2Ban][9]可以帮助保护SSH。 +* 你可能主要通过 SSH 连接管理你的服务器,所以让这个服务需要保留。如上所述,[RSA 密钥][8]和 [Fail2Ban][9] 可以帮助你保护 SSH。 +* NTP 是服务器计时所必需的,但有个替代 NTPdate 的方法。如果你喜欢不开放网络端口的时间同步方法,并且你不需要纳秒精度,那么你可能有兴趣用 [OpenNTPD][10] 来代替 NTPdate。 +* 然而,Exim 和 RPC 是不必要的,除非你有特定的用途,否则应该删除它们。 -* NTP是服务器计时所必需的,但有NTPdate的替代方法。如果你喜欢不开放网络端口的时间同步方法,并且你不需要纳秒精度,那么你可能有兴趣用[OpenNTPD][10]来代替NTPdate。 +> 本节针对 Debian 8。默认情况下,不同的 Linux 发行版具有不同的服务。如果你不确定某项服务的功能,请尝试搜索互联网以了解该功能是什么,然后再尝试删除或禁用它。 -* 然而,Exim和RPC是不必要的,除非你有特定的用途,否则应该删除它们。 - -> 本节重点介绍Debian 8。默认情况下,不同的Linux发行版具有不同的服务。如果你不确定某项服务的功能,请尝试搜索互联网以了解该功能是什么,然后再尝试删除或禁用它。 - -### 卸载监听的服务 +#### 卸载监听的服务 如何移除包取决于发行版的包管理器: @@ -300,12 +292,10 @@ sudo pacman -Rs package_name **CentOS** - ``` sudo yum remove package_name ``` - **Debian / Ubuntu** ``` @@ -314,36 +304,33 @@ sudo apt-get purge package_name **Fedora** - ``` sudo dnf remove package_name ``` -再次运行`sudo netstat -tulpn`,你看到监听的服务就只会有SSH(sshd)和NTP(ntpdate,网络时间协议) +再次运行 `sudo netstat -tulpn`,你看到监听的服务就只会有 SSH(`sshd`)和 NTP(`ntpdate`,网络时间协议)。 ### 配置防火墙 -使用_防火墙_阻止不需要的入站流量能为你的Linode提供一个高效的安全层。 通过指定入站流量,你可以阻止入侵和网络映射。 最佳做法是只允许你需要的流量,并拒绝一切其他流量。请参阅我们的一些关于最常见的防火墙程序的文档: +使用防火墙阻止不需要的入站流量能为你的服务器提供一个高效的安全层。 通过指定入站流量,你可以阻止入侵和网络测绘。 最佳做法是只允许你需要的流量,并拒绝一切其他流量。请参阅我们的一些关于最常见的防火墙程序的文档: -* [iptables][11]是netfilter的控制器,它是Linux内核的包过滤框架。 默认情况下,iptables包含在大多数Linux发行版中。 - -* [firewallD][12]是可用于CentOS/Fedora系列发行版的iptables控制器。 - -* [UFW][13]为Debian和Ubuntu提供了一个iptables前端。 +* [iptables][11] 是 netfilter 的控制器,它是 Linux 内核的包过滤框架。 默认情况下,iptables 包含在大多数 Linux 发行版中。 +* [firewallD][12] 是可用于 CentOS/Fedora 系列发行版的 iptables 控制器。 +* [UFW][13] 为 Debian 和 Ubuntu 提供了一个 iptables 前端。 ### 接下来 -这些是加固Linux服务器的最基本步骤,但是进一步的安全层将取决于其预期用途。 其他技术可以包括应用程序配置,使用[入侵检测][24]或者安装某个形式的[访问控制][25]。 +这些是加固 Linux 服务器的最基本步骤,但是进一步的安全层将取决于其预期用途。 其他技术可以包括应用程序配置,使用[入侵检测][24]或者安装某个形式的[访问控制][25]。 -现在你可以按你的需求开始设置你的Linode了。 我们有一个文档库来以帮助你从[从共享主机迁移][26]到[启用两步验证][27]到[托管网站] [28]等各种主题。 +现在你可以按你的需求开始设置你的服务器了。 我们有一个文档库来以帮助你从[从共享主机迁移][26]到[启用两步验证][27]到[托管网站] [28]等各种主题。 -------------------------------------------------------------------------------- via: https://www.linode.com/docs/security/securing-your-server/ -作者:[Phil Zona ][a] +作者:[Phil Zona][a] 译者:[geekpi](https://github.com/geekpi) -校对:[校对者ID](https://github.com/校对者ID) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From 5b1216b6f25af389c22cc4dea89dbb70ecf0d386 Mon Sep 17 00:00:00 2001 From: wxy Date: Fri, 30 Dec 2016 00:13:11 +0800 Subject: [PATCH 102/181] PUB:20160516 Securing Your Server @geekpi --- {translated/tech => published}/20160516 Securing Your Server.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20160516 Securing Your Server.md (100%) diff --git a/translated/tech/20160516 Securing Your Server.md b/published/20160516 Securing Your Server.md similarity index 100% rename from translated/tech/20160516 Securing Your Server.md rename to published/20160516 Securing Your Server.md From 9b19c7dfe84d6ce5ef82eb2cb1fe5caec98abd54 Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Thu, 29 Dec 2016 16:31:43 +0000 Subject: [PATCH 103/181] Update 20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md --- ...ld Xorg Apps in Unity 8 on Ubuntu 16.10.md | 41 ++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md b/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md index b69f0474c7..712f069590 100644 --- a/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md +++ b/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md @@ -1,26 +1,45 @@ translating by ypingcn. How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10 + +如何在 Ubuntu 16.10 的 Unity 8 上使用之前的 Xorg 程序 + ==== ![](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-feature-image.jpg "How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10s") +随着 Ubuntu 16.10 的发布,Unity 8 吸引到了比平时更多的目光。这是因为这个大家最爱的 Linux 发行版的最新版本进行着一项桌面显示实验。桌面发行版是人们最熟悉的 Unity 环境,但有一点点不同。它不再使用 X11 图形技术,Ubuntu的开发者选择了另一种截然不同的方式。 + With the release of Ubuntu 16.10, Unity 8 has been getting more attention than usual. This is because the latest release of everyone’s favorite Linux distribution comes with an experimental desktop to play with. This desktop is the Unity environment most are used to, with a twist. It no longer is making use of X11 graphics technology and instead the makers of Ubuntu have gone a different way. +原来,Unity 8 用的是 Mir,这是 Ubuntu 对 Linux 上更好显示服务的号召所做出的回答。这项技术已经 Ubuntu phone 和平板上大量使用,但是这次新版是我们在桌面环境上第一次见到 Mir 。 + In its place, Unity 8 is using Mir, Ubuntu’s answer to calls for a better-performing display server on Linux. This technology has been in heavy use already on the Ubuntu phone and tablet, but this new release is the first time we’ve seen it on the desktop. +这项技术相当新颖,结果是没多少 Linux 程序能运行在它之上。不是所有,那也是大部分的程序被设计在 Xorg 和 X11 之上运行。如果你一直尝试在 Unity 8 上运行这些程序,当你了解到在 Unity 8上确实有可能运行之前的 Xorg 程序时,你会很开心的。接下来是如何做! + This technology is new and shiny. As a result, not a lot of established Linux programs can work on it, as most, if not all, of these tools are built to work with Xorg and X11\. However, if you’ve been wanting to try out Unity 8, you’ll be happy to know that it is indeed possible to get these old Xorg apps working in Unity 8\. Here’s how! ### Logging Into Unity 8 +### 登录进 Unity 8 + ![unity8-select-unity-8-login](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-select-unity-8-login.jpg "unity8-select-unity-8-login") +Unity 8 在 Ubuntu 16.10 上是一个可选会话。在使用之前只须牢记一件事情:它不会加载 AMD 的图形驱动,Intel 的同样不会加载。唯一支持的图形驱动是 Nvidia 的开源驱动。要用 Unity 8 的话,只要像往常那样启动 Ubuntu,然后,在登录进去之前,点击用户名上面的 Ubuntu 图标,选择 Unity8 选项。如果万事顺利的话,这个新的、试验性的桌面环境将会加载。 + Unity 8 comes as an optional session in Ubuntu 16.10\. There’s one key thing to keep in mind before using it: it will not load with AMD graphics drivers, or Intel for that matter. The only supported graphics drivers as of now are the open source Nvidia drivers. To use the Unity 8 session, start up Ubuntu like normal. Then, before logging in, click the Ubuntu icon above your username and select “Unity8.” If all goes well, the new, experimental desktop will load. +**注意**: Unity 8 非常新而且不稳定,自行承担使用风险。 + **Note**: Unity 8 is very new and unstable. Use at your own risk. ### Installing Libertine +### 安装 Libertine + +Xorg 程序(例如 Firefox 等)确实能在 Unity 8 上使用,在使用之前需要一点小调整。在 Mir 桌面上用终端打开 Libertine ,在 scopes 窗口中点击终端图标就能完成。一旦打开,输入你的密码。接下来,输入以下的命令: + Xorg programs (like Firefox, etc.) do work in Unity 8; they just need a little tweak before anything will run. Start off by opening a terminal on the Mir desktop. This is done by clicking the terminal icon in the “scopes” window. Once open, enter your password. After that, enter the following commands: ![unity8-installing-libertine-in-terminal](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-installing-libertine-in-terminal.jpg "unity8-installing-libertine-in-terminal") @@ -29,28 +48,48 @@ Xorg programs (like Firefox, etc.) do work in Unity 8; they just need a little t sudo apt install libertine-tools libertine-scope libertine ``` +当这些程序完成安装后,点击并拖动 scopes 窗口以刷新内容。然后,在面板上点击来启动libertine。 + When these programs finish installing, click and drag the scope window to refresh it. Then, click on the top-hat to launch libertine. ### Creating Xorg Containers +### 新建 Xorg 容器 + +打开 Libertine,就到时间来新建一些容器了。这些容器很特别,因为他们能让基于 X11 的 Linux 程序在 Mir/Unity 8 桌面上的容器之中运行。另外,点击“i386 multiarch support"复选框来获得 32 位支持。否则,什么都不要动(或者输入名字和密码),点击”OK”。 + With Libertine open, it’s time to create some containers. These containers are special, as they allow X11 based Linux programs to run inside of a container on the Mir/Unity 8 desktop. Additionally, check the “i386 multiarch support” box for 32bit support. Otherwise, leave everything as is (or give it a name and password), and click OK. ![unity8-libertine-create-new-container](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-libertine-create-new-container.jpg "unity8-libertine-create-new-container") +在这之后,这个 Xorg 容器就准备好以供使用了。在 Libertine 找到它并启动。删除也很容易,右键点击容器,选择“删除”选项。 + From this point on, the Xorg container is ready to use. Look for it in Libertine and launch the container. It also should be noted that containers can be erased by right-clicking on them, then selecting the “Delete” option. +**注意**:每一个 Xorg 容器有 500 MB的最大内存限制。所以多个容器是有必要的。 + **Note**: each Xorg container has a maximum memory limit of 500 megabytes, so multiple containers may be necessary. ### Installing Software +### 安装软件 + ![unity8-libertine-install-software](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-libertine-install-software.jpg "unity8-libertine-install-software") +两天内在 Libertine 容器中安装好软件。第一步允许用户启动容器后选择“输入包名或者 Debian 文件”,这意味着用户可以在软件中心或者终端找到一个软件的名字,然后输入 Libertine 来安装,也可以指定特定的 DEB 文件来安装,也可以在Libertine LXC 容器中直接搜索安装包。 + Software is installed in Libertine containers in two ways. The first way allows for users to launch the container and select “Enter package name or Debian file,” meaning it is possible to find the name of a program in the software center or terminal and enter it into Libertine to install it. It is also possible to specify a .DEB package file for installation. It is also possible to search for the package directly within the Libertine LXC container. +**注意**:Unity 8 非常新,一些程序或许不能在 Libertine 里加载或者完全安装。 + **Note**: Unity 8 is very new, and some programs may not load or fully install with Libertine. ### Conclusion +### 结论 + +Unity 8展现了不少的新特性,它现代、时髦,而且比之前任何一个 Unity 迭代版本都快。唯一限制它的就是使用率。事实是大部分用户更乐意选择实用的应用程序,而不是一个别致新颖的桌面环境。某种程度上来说,使用 Libertine 能解决这个问题,但它不会永久有效。早晚有一天,Canonical 将有必要自行引进程序或者向社区求助来彻底解决这个问题。 + Unity 8 shows a lot of promise. It’s modern, sleek, and faster than any iteration of Unity that came before it. The only thing that is holding it back is adoption. The simple fact is that most users would rather have programs that work instead of a fancy, fresh desktop. To an extent, using Libertine solves this issue, but it won’t work forever. Sooner or later Canonical will need to start porting programs on their own or reach out to the community as as whole to make this happen. -------------------------------------------------------------------------------- @@ -59,7 +98,7 @@ via: https://www.maketecheasier.com/use-old-xorg-apps-unity-8/ 作者:[Derrik Diener][a] -译者:[译者ID](https://github.com/译者ID) +译者:[ypingcn](https://github.com/ypingcn) 校对:[校对者ID](https://github.com/校对者ID) From 90162457b6a88e2c8b49036ade1c3252cd9a4860 Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 09:16:41 +0800 Subject: [PATCH 104/181] translating --- sources/tech/20161128 Mir is not only about Unity8.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161128 Mir is not only about Unity8.md b/sources/tech/20161128 Mir is not only about Unity8.md index 7721b0d2b0..f45ed1eb70 100644 --- a/sources/tech/20161128 Mir is not only about Unity8.md +++ b/sources/tech/20161128 Mir is not only about Unity8.md @@ -1,3 +1,5 @@ +translating---geekpi + Mir is not only about Unity8 ============================================================ From c2bc2b5d1c38ccc5f40881042349a4e3f3a62fdd Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Fri, 30 Dec 2016 01:59:16 +0000 Subject: [PATCH 105/181] Create 20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md --- ...ld Xorg Apps in Unity 8 on Ubuntu 16.10.md | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 translated/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md diff --git a/translated/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md b/translated/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md new file mode 100644 index 0000000000..86f701dad8 --- /dev/null +++ b/translated/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md @@ -0,0 +1,74 @@ +如何在 Ubuntu 16.10 的 Unity 8 上使用之前的 Xorg 程序 +==== + +![](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-feature-image.jpg "How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10s") + +随着 Ubuntu 16.10 的发布,Unity 8 吸引到了比平时更多的目光。这是因为这个大家最爱的 Linux 发行版的最新版本进行着一项桌面显示实验。桌面发行版是人们最熟悉的 Unity 环境,但有一点点不同。它不再使用 X11 图形技术,Ubuntu的开发者选择了另一种截然不同的方式。 + +原来,Unity 8 用的是 Mir,这是 Ubuntu 对 Linux 上更好显示服务的号召所做出的回答。这项技术已经 Ubuntu phone 和平板上大量使用,但是这次新版是我们在桌面环境上第一次见到 Mir 。 + +这项技术相当新颖,结果是没多少 Linux 程序能运行在它之上。不是所有,那也是大部分的程序被设计在 Xorg 和 X11 之上运行。如果你一直尝试在 Unity 8 上运行这些程序,当你了解到在 Unity 8上确实有可能运行之前的 Xorg 程序时,你会很开心的。接下来是如何做! + +### 登录进 Unity 8 + +![unity8-select-unity-8-login](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-select-unity-8-login.jpg "unity8-select-unity-8-login") + +Unity 8 在 Ubuntu 16.10 上是一个可选会话。在使用之前只须牢记一件事情:它不会加载 AMD 的图形驱动,Intel 的同样不会加载。唯一支持的图形驱动是 Nvidia 的开源驱动。要用 Unity 8 的话,只要像往常那样启动 Ubuntu,然后,在登录进去之前,点击用户名上面的 Ubuntu 图标,选择 Unity8 选项。如果万事顺利的话,这个新的、试验性的桌面环境将会加载。 + +**注意**: Unity 8 非常新而且不稳定,自行承担使用风险。 + +### 安装 Libertine + +Xorg 程序(例如 Firefox 等)确实能在 Unity 8 上使用,在使用之前需要一点小调整。在 Mir 桌面上用终端打开 Libertine ,在 scopes 窗口中点击终端图标就能完成。一旦打开,输入你的密码。接下来,输入以下的命令: + +![unity8-installing-libertine-in-terminal](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-installing-libertine-in-terminal.jpg "unity8-installing-libertine-in-terminal") + +``` +sudo apt install libertine-tools libertine-scope libertine +``` + +当这些程序完成安装后,点击并拖动 scopes 窗口以刷新内容。然后,在面板上点击来启动libertine。 + +### 新建 Xorg 容器 + +打开 Libertine,就到时间来新建一些容器了。这些容器很特别,因为他们能让基于 X11 的 Linux 程序在 Mir/Unity 8 桌面上的容器之中运行。另外,点击“i386 multiarch support"复选框来获得 32 位支持。否则,什么都不要动(或者输入名字和密码),点击”OK”。 + +![unity8-libertine-create-new-container](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-libertine-create-new-container.jpg "unity8-libertine-create-new-container") + +在这之后,这个 Xorg 容器就准备好以供使用了。在 Libertine 找到它并启动。删除也很容易,右键点击容器,选择“删除”选项。 + +**注意**:每一个 Xorg 容器有 500 MB的最大内存限制。所以多个容器是有必要的。 + +### 安装软件 + +![unity8-libertine-install-software](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-libertine-install-software.jpg "unity8-libertine-install-software") + +两天内在 Libertine 容器中安装好软件。第一步允许用户启动容器后选择“输入包名或者 Debian 文件”,这意味着用户可以在软件中心或者终端找到一个软件的名字,然后输入 Libertine 来安装,也可以指定特定的 DEB 文件来安装,也可以在Libertine LXC 容器中直接搜索安装包。 + +**注意**:Unity 8 非常新,一些程序或许不能在 Libertine 里加载或者完全安装。 + +### 结论 + +Unity 8展现了不少的新特性,它现代、时髦,而且比之前任何一个 Unity 迭代版本都快。唯一限制它的就是使用率。事实是大部分用户更乐意选择实用的应用程序,而不是一个别致新颖的桌面环境。某种程度上来说,使用 Libertine 能解决这个问题,但它不会永久有效。早晚有一天,Canonical 将有必要自行引进程序或者向社区求助来彻底解决这个问题。 + +-------------------------------------------------------------------------------- + +via: https://www.maketecheasier.com/use-old-xorg-apps-unity-8/ + +作者:[Derrik Diener][a] + +译者:[ypingcn](https://github.com/ypingcn) + +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.maketecheasier.com/author/derrikdiener/ +[1]:https://www.maketecheasier.com/use-old-xorg-apps-unity-8/#respond + +[3]:https://www.maketecheasier.com/shimo-vpn-client-for-mac/ +[4]:https://www.maketecheasier.com/schedule-windows-empty-recycle-bin/ +[5]:mailto:?subject=How%20to%20Use%20Old%20Xorg%20Apps%20in%20Unity%208%20on%20Ubuntu%2016.10&body=https%3A%2F%2Fwww.maketecheasier.com%2Fuse-old-xorg-apps-unity-8%2F +[6]:http://twitter.com/share?url=https%3A%2F%2Fwww.maketecheasier.com%2Fuse-old-xorg-apps-unity-8%2F&text=How+to+Use+Old+Xorg+Apps+in+Unity+8+on+Ubuntu+16.10 +[7]:http://www.facebook.com/sharer.php?u=https%3A%2F%2Fwww.maketecheasier.com%2Fuse-old-xorg-apps-unity-8%2F +[8]:https://www.maketecheasier.com/category/linux-tips/ From 07916e26ad648ba36174bb4d7a1a4b48e9d0c906 Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Fri, 30 Dec 2016 02:00:30 +0000 Subject: [PATCH 106/181] Delete 20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md --- ...ld Xorg Apps in Unity 8 on Ubuntu 16.10.md | 115 ------------------ 1 file changed, 115 deletions(-) delete mode 100644 sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md diff --git a/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md b/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md deleted file mode 100644 index 712f069590..0000000000 --- a/sources/tech/20161024 How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10.md +++ /dev/null @@ -1,115 +0,0 @@ -translating by ypingcn. - -How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10 - -如何在 Ubuntu 16.10 的 Unity 8 上使用之前的 Xorg 程序 - -==== - -![](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-feature-image.jpg "How to Use Old Xorg Apps in Unity 8 on Ubuntu 16.10s") - -随着 Ubuntu 16.10 的发布,Unity 8 吸引到了比平时更多的目光。这是因为这个大家最爱的 Linux 发行版的最新版本进行着一项桌面显示实验。桌面发行版是人们最熟悉的 Unity 环境,但有一点点不同。它不再使用 X11 图形技术,Ubuntu的开发者选择了另一种截然不同的方式。 - -With the release of Ubuntu 16.10, Unity 8 has been getting more attention than usual. This is because the latest release of everyone’s favorite Linux distribution comes with an experimental desktop to play with. This desktop is the Unity environment most are used to, with a twist. It no longer is making use of X11 graphics technology and instead the makers of Ubuntu have gone a different way. - -原来,Unity 8 用的是 Mir,这是 Ubuntu 对 Linux 上更好显示服务的号召所做出的回答。这项技术已经 Ubuntu phone 和平板上大量使用,但是这次新版是我们在桌面环境上第一次见到 Mir 。 - -In its place, Unity 8 is using Mir, Ubuntu’s answer to calls for a better-performing display server on Linux. This technology has been in heavy use already on the Ubuntu phone and tablet, but this new release is the first time we’ve seen it on the desktop. - -这项技术相当新颖,结果是没多少 Linux 程序能运行在它之上。不是所有,那也是大部分的程序被设计在 Xorg 和 X11 之上运行。如果你一直尝试在 Unity 8 上运行这些程序,当你了解到在 Unity 8上确实有可能运行之前的 Xorg 程序时,你会很开心的。接下来是如何做! - -This technology is new and shiny. As a result, not a lot of established Linux programs can work on it, as most, if not all, of these tools are built to work with Xorg and X11\. However, if you’ve been wanting to try out Unity 8, you’ll be happy to know that it is indeed possible to get these old Xorg apps working in Unity 8\. Here’s how! - -### Logging Into Unity 8 - -### 登录进 Unity 8 - -![unity8-select-unity-8-login](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-select-unity-8-login.jpg "unity8-select-unity-8-login") - -Unity 8 在 Ubuntu 16.10 上是一个可选会话。在使用之前只须牢记一件事情:它不会加载 AMD 的图形驱动,Intel 的同样不会加载。唯一支持的图形驱动是 Nvidia 的开源驱动。要用 Unity 8 的话,只要像往常那样启动 Ubuntu,然后,在登录进去之前,点击用户名上面的 Ubuntu 图标,选择 Unity8 选项。如果万事顺利的话,这个新的、试验性的桌面环境将会加载。 - -Unity 8 comes as an optional session in Ubuntu 16.10\. There’s one key thing to keep in mind before using it: it will not load with AMD graphics drivers, or Intel for that matter. The only supported graphics drivers as of now are the open source Nvidia drivers. To use the Unity 8 session, start up Ubuntu like normal. Then, before logging in, click the Ubuntu icon above your username and select “Unity8.” If all goes well, the new, experimental desktop will load. - -**注意**: Unity 8 非常新而且不稳定,自行承担使用风险。 - -**Note**: Unity 8 is very new and unstable. Use at your own risk. - -### Installing Libertine - -### 安装 Libertine - -Xorg 程序(例如 Firefox 等)确实能在 Unity 8 上使用,在使用之前需要一点小调整。在 Mir 桌面上用终端打开 Libertine ,在 scopes 窗口中点击终端图标就能完成。一旦打开,输入你的密码。接下来,输入以下的命令: - -Xorg programs (like Firefox, etc.) do work in Unity 8; they just need a little tweak before anything will run. Start off by opening a terminal on the Mir desktop. This is done by clicking the terminal icon in the “scopes” window. Once open, enter your password. After that, enter the following commands: - -![unity8-installing-libertine-in-terminal](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-installing-libertine-in-terminal.jpg "unity8-installing-libertine-in-terminal") - -``` -sudo apt install libertine-tools libertine-scope libertine -``` - -当这些程序完成安装后,点击并拖动 scopes 窗口以刷新内容。然后,在面板上点击来启动libertine。 - -When these programs finish installing, click and drag the scope window to refresh it. Then, click on the top-hat to launch libertine. - -### Creating Xorg Containers - -### 新建 Xorg 容器 - -打开 Libertine,就到时间来新建一些容器了。这些容器很特别,因为他们能让基于 X11 的 Linux 程序在 Mir/Unity 8 桌面上的容器之中运行。另外,点击“i386 multiarch support"复选框来获得 32 位支持。否则,什么都不要动(或者输入名字和密码),点击”OK”。 - -With Libertine open, it’s time to create some containers. These containers are special, as they allow X11 based Linux programs to run inside of a container on the Mir/Unity 8 desktop. Additionally, check the “i386 multiarch support” box for 32bit support. Otherwise, leave everything as is (or give it a name and password), and click OK. - -![unity8-libertine-create-new-container](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-libertine-create-new-container.jpg "unity8-libertine-create-new-container") - -在这之后,这个 Xorg 容器就准备好以供使用了。在 Libertine 找到它并启动。删除也很容易,右键点击容器,选择“删除”选项。 - -From this point on, the Xorg container is ready to use. Look for it in Libertine and launch the container. It also should be noted that containers can be erased by right-clicking on them, then selecting the “Delete” option. - -**注意**:每一个 Xorg 容器有 500 MB的最大内存限制。所以多个容器是有必要的。 - -**Note**: each Xorg container has a maximum memory limit of 500 megabytes, so multiple containers may be necessary. - -### Installing Software - -### 安装软件 - -![unity8-libertine-install-software](https://maketecheasier-2d0f.kxcdn.com/assets/uploads/2016/10/unity8-libertine-install-software.jpg "unity8-libertine-install-software") - -两天内在 Libertine 容器中安装好软件。第一步允许用户启动容器后选择“输入包名或者 Debian 文件”,这意味着用户可以在软件中心或者终端找到一个软件的名字,然后输入 Libertine 来安装,也可以指定特定的 DEB 文件来安装,也可以在Libertine LXC 容器中直接搜索安装包。 - -Software is installed in Libertine containers in two ways. The first way allows for users to launch the container and select “Enter package name or Debian file,” meaning it is possible to find the name of a program in the software center or terminal and enter it into Libertine to install it. It is also possible to specify a .DEB package file for installation. It is also possible to search for the package directly within the Libertine LXC container. - -**注意**:Unity 8 非常新,一些程序或许不能在 Libertine 里加载或者完全安装。 - -**Note**: Unity 8 is very new, and some programs may not load or fully install with Libertine. - -### Conclusion - -### 结论 - -Unity 8展现了不少的新特性,它现代、时髦,而且比之前任何一个 Unity 迭代版本都快。唯一限制它的就是使用率。事实是大部分用户更乐意选择实用的应用程序,而不是一个别致新颖的桌面环境。某种程度上来说,使用 Libertine 能解决这个问题,但它不会永久有效。早晚有一天,Canonical 将有必要自行引进程序或者向社区求助来彻底解决这个问题。 - -Unity 8 shows a lot of promise. It’s modern, sleek, and faster than any iteration of Unity that came before it. The only thing that is holding it back is adoption. The simple fact is that most users would rather have programs that work instead of a fancy, fresh desktop. To an extent, using Libertine solves this issue, but it won’t work forever. Sooner or later Canonical will need to start porting programs on their own or reach out to the community as as whole to make this happen. - --------------------------------------------------------------------------------- - -via: https://www.maketecheasier.com/use-old-xorg-apps-unity-8/ - -作者:[Derrik Diener][a] - -译者:[ypingcn](https://github.com/ypingcn) - -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.maketecheasier.com/author/derrikdiener/ -[1]:https://www.maketecheasier.com/use-old-xorg-apps-unity-8/#respond - -[3]:https://www.maketecheasier.com/shimo-vpn-client-for-mac/ -[4]:https://www.maketecheasier.com/schedule-windows-empty-recycle-bin/ -[5]:mailto:?subject=How%20to%20Use%20Old%20Xorg%20Apps%20in%20Unity%208%20on%20Ubuntu%2016.10&body=https%3A%2F%2Fwww.maketecheasier.com%2Fuse-old-xorg-apps-unity-8%2F -[6]:http://twitter.com/share?url=https%3A%2F%2Fwww.maketecheasier.com%2Fuse-old-xorg-apps-unity-8%2F&text=How+to+Use+Old+Xorg+Apps+in+Unity+8+on+Ubuntu+16.10 -[7]:http://www.facebook.com/sharer.php?u=https%3A%2F%2Fwww.maketecheasier.com%2Fuse-old-xorg-apps-unity-8%2F -[8]:https://www.maketecheasier.com/category/linux-tips/ From d5fb21b6cf0e42fd41eec47be1e4a67cfd9c7b2e Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 10:42:44 +0800 Subject: [PATCH 107/181] translated --- .../20161128 Mir is not only about Unity8.md | 86 ------------------- .../20161128 Mir is not only about Unity8.md | 85 ++++++++++++++++++ 2 files changed, 85 insertions(+), 86 deletions(-) delete mode 100644 sources/tech/20161128 Mir is not only about Unity8.md create mode 100644 translated/tech/20161128 Mir is not only about Unity8.md diff --git a/sources/tech/20161128 Mir is not only about Unity8.md b/sources/tech/20161128 Mir is not only about Unity8.md deleted file mode 100644 index f45ed1eb70..0000000000 --- a/sources/tech/20161128 Mir is not only about Unity8.md +++ /dev/null @@ -1,86 +0,0 @@ -translating---geekpi - -Mir is not only about Unity8 -============================================================ - - ![mir](https://insights.ubuntu.com/wp-content/uploads/2cf2/MIR.png) - -_This is a guest post by Alan Griffiths, Software engineer at Canonical. If you would like to contribute a guest post, please contact ubuntu-devices@canonical.com_ - -Mir is a project to support the management applications on the display(s) of a computer. It can be compared to the more familiar X-Windows used on the current Ubuntu desktop (and many others). I’ll discuss some of the motivation for Mir below, but the point of this post is to clarify the relationship between Mir and Unity8. - -Most of the time you hear about Mir it is mentioned alongside Unity8\. This is not surprising as Unity8 is Canonical’s new user interface shell and the thing end-users interact with. Mir “only” makes this possible. Unity8 is currently used on phones and tablets and is also available as a “preview” on the Ubuntu 16.10 desktop. - -Here I want to explain that Mir is available to use without Unity8\. Either for an alternative shell, or as a simpler interface for embedded environments: information kiosks, electronic signage, etc. The evidence for this is proved by the Mir “Abstraction Layer” which provides three important elements: - -1.libmiral.so – a stable interface to Mir providing basic window management; -2\. miral-shell – a sample shell offering both “traditional” and “tiling” window management; and, -3\. miral-kiosk – a sample “kiosk” offering only basic window management. - -The miral-shell and miral-kiosk sample servers are available from the zesty archive and Kevin Gunn has been [blogging][1] about providing a miral-kiosk based “kiosk” snap on “Voices”. I’ll give a bit more detail about using these examples below, but there is more (including “how to” develop your own alternative Mir server) on [my “voices” blog][2]. - -**USING MIR** - -Mir is a set of programming libraries, not an application in its own right. That means it needs applications to use it for anything to happen. There are two ways to use the Mir libraries: as a “client” when writing an application, or as a “server” when implementing a shell. Clients (as with X11) typically use a toolkit rather than using Mir (or X11) directly. - -There’s Mir support available in GTK, Qt and SDL2\. This means that applications using these toolkits should “just work” on Mir when that support is enabled in the toolkit (which is the default in Ubuntu). In addition there’s Xmir: an X11 server that runs on Mir, this allows X based applications to run on Mir servers. - -But a Mir client needs a corresponding Mir server before anything can happen. Over the last development cycle the Mir team has produced MirAL as the recommended way to write Mir servers and a package “miral-examples” by way of demonstration. For zesty, the development version of Ubuntu, you can install from the archive: - -``` -$ sudo apt install miral-examples mir-graphics-drivers-desktop qtubuntu-desktop -``` - -_For other platforms you would need to build MirAL this yourself (see An Example Mir Desktop Environment for details)._ - -With miral-examples installed you can run a Mir server as a window on your Unity7 desktop and start clients (such as gedit) within it as follows: - -``` -$ miral-shell& -$ miral-run gedit -``` - -This will give you (very basic) “traditional” desktop window management. Alternatively, you can try “tiling” window management: - -``` -$ miral-shell --window-manager tiling& -$ miral-run qterminal -``` - -Or the (even more basic) kiosk: - -``` -$ miral-kiosk& -$ miral-run 7kaa -``` - -None of these Mir servers provide a complete “desktop” with support for a “launcher”, notifications, etc. but they demonstrate the potential to use Mir without Unity8. - -**THE PROBLEM MIR SOLVES** - -The X-Windows system has been, and remains, immensely successful in providing a way to interact with computers. It provides a consistent abstraction across a wide range of hardware and drivers. This underlies many desktop environments and graphical user interface toolkits and lets them work together on an enormous range of computers. - -But it comes from an era when computers were used very differently from now, and there are real concerns today that are hard to meet given the long legacy that X needs to support. -In 1980 most computers were big things managed by specialists and connecting them to one another was “bleeding edge”. In that era the cost of developing software was such that any benefit to be gained by one application “listening in” on another was negligible: there were few computers, they were isolated, and the work they did was not open to financial exploitation. - -X-Windows developed in this environment and, through a series of extensions, has adapted to many changes. But it is inherently insecure: any application can find out what happening on the display (and affect it). You can write applications like Xeyes (that tracks the cursor with its “eyes”) or “Tickeys” (that listens to the keyboard to generate typewriter noises). The reality is that any and all applications can track and manipulate almost all of what is happening. That is how X based desktops like Unity7, Gnome, KDE and the rest work. - -The open nature of window management in X-Windows is poorly adapted to a world with millions of computers connected to the Internet, being used for credit card transactions and online banking, and managed by non-experts who willingly install programs from complete strangers. There has been a growing realization that adapting X-Windows to the new requirements of security and graphics performance isn’t feasible. - -There are at least two open source projects aimed at providing a replacement: Mir and Wayland. While some see these as competing, there are a lot of areas where they have common interests: They both need to interact with other software that previously assumed X11, and much of the work needed to introduce support alternatives benefits both projects. - -Canonical’s replacement for X-Windows, Mir, only exposes the information to an application that it needs to have (so no snooping on keystrokes, or tracking the cursor). It can meet the needs of the current age and can exploit modern hardware such as graphics processors. - --------------------------------------------------------------------------------- - -via: https://insights.ubuntu.com/2016/11/28/mir-is-not-only-about-unity8/ - -作者:[ Guest][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://insights.ubuntu.com/author/guest/ -[1]:http://voices.canonical.com/kevin.gunn/ -[2]:http://voices.canonical.com/alan.griffiths/ diff --git a/translated/tech/20161128 Mir is not only about Unity8.md b/translated/tech/20161128 Mir is not only about Unity8.md new file mode 100644 index 0000000000..6b5f2b03dc --- /dev/null +++ b/translated/tech/20161128 Mir is not only about Unity8.md @@ -0,0 +1,85 @@ +Mir 并不只关于Unity8 +============================================================ + + ![mir](https://insights.ubuntu.com/wp-content/uploads/2cf2/MIR.png) + +_这是一篇来自 Canonical 的软件工程师 Alan Griffiths 的一篇游客文章。如果你也想投稿,请联系 ubuntu-devices@canonical.com_ + +Mir 是管理程序显示的项目。它可以与当前 Ubuntu 桌面(及很多其他)上使用的我们更熟悉的X-Windows进行比较。我下面会讨论使用 Mir 的一些动机,但本篇的目的是澄清 Mir 和 Unity8 之间的关系。 + +大多数时候你听说 Mir 时都会提到 Unity8。这并不奇怪,因为 Unity8 是 Canonical 的用户shell,用户会一直与它交互。 Mir “只”使这成为可能。Unity8 目前用于手机和平板电脑,也可作为 Ubuntu 16.10 桌面上的“预览”。 + +在这里我想解释一下使用 Mir 是可以使用Unity8 的。或者作为替代 shell,或者作为嵌入式环境的更简单的接口:信息窗口,电子标牌等。Mir “抽象层”证明了这一点,它提供了三个重要的元素: + +1\. libmiral.so - Mir 的稳定接口,提供基本的窗口管理; +2\. miral-shell - 一个提供“传统”和“平铺”窗口管理的示例shell; +3\. miral-kiosk - 一个仅提供基本窗口管理的示例“kiosk”。 + +miral-shell 和 miral-kiosk 示例服务器可从 zesty 的归档文件中获得,Kevin Gunn已经在[记录][1]关于在“Voices”上提供基于 miral-kiosk 的“kiosk”。我将在下面给出更多关于使用这些例子的细节,但在[我的“voices”博客][2]上有更多(包括“如何”开发自己的替代Mir服务器)。 + +**使用 MIR** + +Mir 是一套编程库,而不是独立的程序。这意味着这需要程序去调用它实现相应的功能。有两种方式去使用Mir库:编写程序的时候作为“客户端”,或者在实现shell的实现“服务端”。客户端(和X11一起)典型是使用工具库,而不是直接使用 Mir(或者 X11)。 + +Mir支持GTK、Qt 和 SDL2 中有支持。当在那些工具集中支持它时(默认在Ubuntu中存在),意味着使用这些工具的程序应该“可以工作”于 Mir 中。除此之外还有一个 Xmir:一个运行于 Mir 的 X11 服务器,这允许基于 X 的服务运行在 Mir服务端上。 + +但是开始之前 Mir 客户端需要与 Mir 服务端通信。在最后一个开发周期中,Mir 团队在演示中将 MirAL 作为推荐的方法编写了一个 Mir 服务端和一个“miral-examples”包。关于 Ubuntu 的开版 zesty,你可以从归档中安装: + + +``` +$ sudo apt install miral-examples mir-graphics-drivers-desktop qtubuntu-desktop +``` + +_对于其他平台,你需要自己构建MirAL(有关详细信息,请参阅 Mir 桌面环境示例)。_ + +miral-examples 安装后你可以在 Unity7 中运行一个 Mir 服务端作为一个窗口,然后运行一个客户端(比如 gedit): + +``` +$ miral-shell& +$ miral-run gedit +``` + +这会给你(非常基础)“传统” 的桌面窗口管理。另外你可以试下“tiling” 窗口管理器: + +``` +$ miral-shell --window-manager tiling& +$ miral-run qterminal +``` + +或者(甚至更基础的)kiosk: + +``` +$ miral-kiosk& +$ miral-run 7kaa +``` + +这些 Mir 服务端都不会提供带有“启动器”、通知等的完整“桌面”。但是它们演示了不使用 Unity8 使用 Mir 的可能。 + +**MIR 解决的问题** + +X-Windows 系统已经并且仍然非常成功地提供了与计算机的交互方式。它提供了广泛的硬件和驱动程序一致的抽象。它支持许多桌面环境和图形用户界面工具包,并允许他们在大量计算机上一起工作。 + +但它来自一个与当前电脑使用方式不同的时代,现在有一些问题是很难满足的,因为它需要支持老旧的系统。 +在 1980 年,大多数计算机是由专家管理的大型事物,将它们连接在一起“是非常困难的”。在那个时代,开发软件的成本是这样的,一个程序“监听”另一个程序获得的好处是可以忽略不计的:此时几乎没有计算机,同时它们是独立的,它们所有的工作不对金融开放。 + +X-Windows 在这种环境下开发,通过一系列扩展,已经适应了许多变化。但它本质上是不安全的:任何应用程序可以找出在显示器上显示了什么(并影响它)。你可以编写像 Xeyes(用“眼睛”跟踪光标)或“Tickeys”(通过键盘来生成打字机噪声)等应用程序。现实是,任何和所有应用程序可以跟踪和操纵几乎所有的事情。这就是基于X的桌面如 Unity7、Gnome、KDE和其余工作。 + +X-Windows 中的窗口管理的开放性质不适合用于具有数百万计算机连接到因特网的世界,它们用于信用卡交易和网上银行,且由非专家管理,并自愿安装来自陌生人的程序。人们越来越意识到让 X-Windows 适应新的安全性和图形性能的要求是不可行的。 + +现在至少有两个开源项目旨在提供替代它:Mir 和 Wayland。虽然有些人认为两者是竞争关系,但在很多领域,它们有共同的利益:它们都需要那些假设使用 X11 的软件交互,并且许多支持工作对两者都有益。 + +Canonical 对 X-Windows 的替换品 Mir,它只将信息暴露给它需要的应用程序(因此没有按键监听或光标跟踪)。它可以满足当前时代的需求,并可以利用现代硬件,如图形处理器。 + +-------------------------------------------------------------------------------- + +via: https://insights.ubuntu.com/2016/11/28/mir-is-not-only-about-unity8/ + +作者:[ Guest][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://insights.ubuntu.com/author/guest/ +[1]:http://voices.canonical.com/kevin.gunn/ +[2]:http://voices.canonical.com/alan.griffiths/ From 0f2f8868840f7e00acdf237c7a7987a79a7a2cac Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 10:45:22 +0800 Subject: [PATCH 108/181] translating --- .../tech/20161021 Getting started with Inkscape on Fedora.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161021 Getting started with Inkscape on Fedora.md b/sources/tech/20161021 Getting started with Inkscape on Fedora.md index 9071777749..82d6758284 100644 --- a/sources/tech/20161021 Getting started with Inkscape on Fedora.md +++ b/sources/tech/20161021 Getting started with Inkscape on Fedora.md @@ -1,3 +1,5 @@ +translating---geekpi + ### [Getting started with Inkscape on Fedora][2] ![inkscape-gettingstarted](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gettingstarted-945x400.png) From 64c7d7787143d3e79f96c2d5003386c6e5acd926 Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 11:17:28 +0800 Subject: [PATCH 109/181] translated --- ...Getting started with Inkscape on Fedora.md | 114 ------------------ ...Getting started with Inkscape on Fedora.md | 112 +++++++++++++++++ 2 files changed, 112 insertions(+), 114 deletions(-) delete mode 100644 sources/tech/20161021 Getting started with Inkscape on Fedora.md create mode 100644 translated/tech/20161021 Getting started with Inkscape on Fedora.md diff --git a/sources/tech/20161021 Getting started with Inkscape on Fedora.md b/sources/tech/20161021 Getting started with Inkscape on Fedora.md deleted file mode 100644 index 82d6758284..0000000000 --- a/sources/tech/20161021 Getting started with Inkscape on Fedora.md +++ /dev/null @@ -1,114 +0,0 @@ -translating---geekpi - -### [Getting started with Inkscape on Fedora][2] - - ![inkscape-gettingstarted](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gettingstarted-945x400.png) - -Inkscape is a popular, full-featured, free and open source vector [graphics editor][3] available in the official Fedora repositories. It’s specifically tailored for creating vector graphics in the [SVG format][4]. Inkscape is great for creating and manipulating pictures and illustrations. It’s also good for creating diagrams, and user interface mockups. - -[ - ![cyberscoty-landscape-800px](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/cyberscoty-landscape-800px.png) -][5] - -[Windmill Landscape][1]illustration created using inkscape - -The [screenshots page on the official website][6] has some great examples of what can be done with Inkscape. The majority of the featured images here on the Fedora Magazine are also created using Inkscape, including this recent featured image: - -[ - ![communty](https://cdn.fedoramagazine.org/wp-content/uploads/2016/09/communty.png) -][7] - -A recent featured image here on the Fedora Magazine that was created with Inkscape - -### Installing Inkscape on Fedora - -Inkscape is [available in the official Fedora repositories][8], so it’s super easy to install using the Software app in Fedora Workstation**:** - -[ - ![inkscape-gnome-software](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gnome-software.png) -][9] - -Alternatively, if you are comfortable with the command line, you can install using the following `dnf` command: - -``` -sudo dnf install inkscape -``` - -### Dive into Inkscape (getting started) - -When opening the app for the first time, you are greeted with a blank page, and a bunch of different toolbars. For beginners, the three most important of these toolbars are the Toolbar, the Tools Control Bar, and the Colour Palette: - -[ - ![inkscape_window](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape_window.png) -][10] - -The **Toolbar** provides all the basic tools for creating drawings, including tools such as: - -* The rectangle tool, for drawing rectangles and squares -* The star / polygon (shapes) tool -* The circle tool, for drawing ellipses and circles -* The text tool, for adding labels and other text -* The path tool, for creating or editing more complex or customized shapes -* The select tool for selecting objects in your drawing - -The **Colour Palette** provides a quick way to set the colour of the currently selected object. The **Tools Control Bar** provides all the settings for the currently selected tool in the Toolbar. Each time you select a new tool, the Tools Control Bar will update with the settings for that tool: - -[ - ![](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-toolscontrolbar.gif) -][11] - -### Drawing shapes - -Next, let’s draw a star with Inkscape. First, choose the star tool from the **Toolbar, **and click and drag on the main drawing area**.** - -You’ll probably notice your star looks a lot like a triangle. To change this, play with the Corners option in the **Tools Control Bar**, and add a few more points. Finally, when you’re done, with the star still selected choose a colour from the **Palette** to change the colour of your star: - -[ - ![inkscape-drawastar](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-drawastar.gif) -][12] - -Next, experiment with some of the other shapes tools in the Toolbar, such as the rectangle tool, the spiral tool and the circle tool. Also play around with some of the settings for each tool to create a bunch of unique shapes. - -### Selecting and moving objects in your drawing - -Now you have a bunch of shapes, and can use the Select tool to move them around. To use the select tool, first select it from the toolbar, and then click on the shape you want to manipulate. Then click and drag the shape to where you want it to be. - -When a shape is selected, you can also use the resize handles to scale the shape. Additionally, if you click on a shape that is selected, the resize handles change to rotate mode, allowing you to spin your shape: - -[ - ![inkscape-movingshapes](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-movingshapes.gif) -][13] - -* * * - -Inkscape is an awesome piece of software that is packed with many more tools and features. In the next articles in this series, we will cover more of the features and options you can use to create awesome illustrations and documents. - ------------------------ - -作者简介:Ryan is a designer that works on stuff for Fedora. He uses Fedora Workstation as his primary desktop, along with the best tools from the Libre Graphics world, notably, the vector graphics editor, Inkscape. - - --------------------------------------------------------------------------------- - -via: https://fedoramagazine.org/getting-started-inkscape-fedora/ - -作者:[Ryan Lerch][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:http://ryanlerch.id.fedoraproject.org/ -[1]:https://openclipart.org/detail/185885/windmill-in-landscape -[2]:https://fedoramagazine.org/getting-started-inkscape-fedora/ -[3]:https://inkscape.org/ -[4]:https://en.wikipedia.org/wiki/Scalable_Vector_Graphics -[5]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/cyberscoty-landscape-800px.png -[6]:https://inkscape.org/en/about/screenshots/ -[7]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/09/communty.png -[8]:https://apps.fedoraproject.org/packages/inkscape -[9]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gnome-software.png -[10]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape_window.png -[11]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-toolscontrolbar.gif -[12]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-drawastar.gif -[13]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-movingshapes.gif diff --git a/translated/tech/20161021 Getting started with Inkscape on Fedora.md b/translated/tech/20161021 Getting started with Inkscape on Fedora.md new file mode 100644 index 0000000000..66170f8fa4 --- /dev/null +++ b/translated/tech/20161021 Getting started with Inkscape on Fedora.md @@ -0,0 +1,112 @@ +### [在 Fedora 中使用 Inkscape][2] + + ![inkscape-gettingstarted](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gettingstarted-945x400.png) + +Inkscape 是一个流行的、功能齐全、免费和开源的矢量[图形编辑器][3],它已经在 Fedora 官方仓库中。它专门为[SVG格式][4]中创建矢量图形而定制。Inkscape 非常适合创建和操作图片和插图。它也适用于创建图表和模拟用户界面。 + +[ + ![cyberscoty-landscape-800px](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/cyberscoty-landscape-800px.png) +][5] + +使用inkscape创建的[风车景色][1]的插图 + +[官方网站上的截图页][6]上有一些很好的例子,说明Inkscape可以做些什么。Fedora杂志上的大多数精选图片也是使用 Inkscape 创建的,包括最近的精选图片: + +[ + ![communty](https://cdn.fedoramagazine.org/wp-content/uploads/2016/09/communty.png) +][7] + +最近使用 Inkscape 创建的 Fedora 杂志精选图片 + +### 在 Fedora 中安装 Inkscape + +**Inkscape 已经[在 Fedora 官方仓库中了][8],因此可以非常简单地在 Fedora Workstation 使用 Software 这个程序安装它:** + +[ + ![inkscape-gnome-software](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gnome-software.png) +][9] + +另外,如果你习惯用命令行,你可以使用 `dnf` 命令来安装: + +``` +sudo dnf install inkscape +``` + +### (开始)深入 Inkscape + +当第一次打开程序是,你会看到一个空白页面,并且有一组不同的工具栏。对于初学者,最重要的三个工具栏是:Toolbar、Tools Control Bar、 Colour Palette: + +[ + ![inkscape_window](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape_window.png) +][10] + +**Toolbar**提供了创建绘图的所有基本工具,包括以下工具: + +* 矩形工具:用于绘制矩形和正方形 +* 星/多边形(形状)工具 +* 圆形工具:用于绘制椭圆和圆 +* 文本工具:用于添加标签和其他文本 +* 路径工具:用于创建或编辑更复杂或自定义的形状 +* 选择工具:用于选择图形中的对象 + +**Colour Palette** 提供了一种快速方式来设置当前选定对象的颜色。 **Tools Control Bar** 提供了工具栏中当前选定工具的所有设置。每次选择新工具时,Tools Control Bar 会变成该工具的设置: + +[ + ![](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-toolscontrolbar.gif) +][11] + +### 绘画图形 + +接下来,让我们使用 Inkscape 绘制一个星星。 首先,从 **Toolbar** 中选择星形工具,**然后单击并拖动主绘图区域。** + +你可能会注意到你的星看起来很像一个三角形。要更改它,请使用 “Tools Control Bar” 中的 “Corners” 选项,然后再添加几个点。 最后,当你完成后,当星星仍被选中时,从“调色板”中选择一种颜色来改变星星的颜色: + +[ + ![inkscape-drawastar](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-drawastar.gif) +][12] + +接下来,在Toolbar中实验一些其他形状工具,如矩形工具,螺旋工具和圆形工具。每个工具都设置下来创建一些独特的图形。 + +### 在绘图中选择移动对象 + +现在你有一堆图形了,你使用选择工具来移动它们。要使用选择工具,首先从工具栏中选择它,然后单击要操作的形状,接着将图形拖动到您想要的位置。 + +选择形状时,你还可以使用调整大小手柄来缩放图形。此外,如果你单击所选的图形,调整大小控点将变为旋转模式,并允许你旋转图形: + +[ + ![inkscape-movingshapes](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-movingshapes.gif) +][13] + +* * * + +Inkscape是一个很棒的软件,它还包含了更多的工具和功能。在本系列的下一篇文章中,我们将介绍更多可用来创建插图和文档的功能和选项。 + +----------------------- + +作者简介:Ryan是一名 Fedora 设计师。他使用 Fedora Workstation 作为他的主要桌面,还有来自Libre Graphics 世界的最好的工具,尤其是矢量图形编辑器 Inkscape。 + + +-------------------------------------------------------------------------------- + +via: https://fedoramagazine.org/getting-started-inkscape-fedora/ + +作者:[Ryan Lerch][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://ryanlerch.id.fedoraproject.org/ +[1]:https://openclipart.org/detail/185885/windmill-in-landscape +[2]:https://fedoramagazine.org/getting-started-inkscape-fedora/ +[3]:https://inkscape.org/ +[4]:https://en.wikipedia.org/wiki/Scalable_Vector_Graphics +[5]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/cyberscoty-landscape-800px.png +[6]:https://inkscape.org/en/about/screenshots/ +[7]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/09/communty.png +[8]:https://apps.fedoraproject.org/packages/inkscape +[9]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gnome-software.png +[10]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape_window.png +[11]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-toolscontrolbar.gif +[12]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-drawastar.gif +[13]:https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-movingshapes.gif From 1cde3495d1ca2f5a6407e33f8f06b743d202402c Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 11:25:13 +0800 Subject: [PATCH 110/181] translating --- sources/tech/20161005 GETTING STARTED WITH ANSIBLE.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161005 GETTING STARTED WITH ANSIBLE.md b/sources/tech/20161005 GETTING STARTED WITH ANSIBLE.md index 86f950a924..c8d61e9147 100644 --- a/sources/tech/20161005 GETTING STARTED WITH ANSIBLE.md +++ b/sources/tech/20161005 GETTING STARTED WITH ANSIBLE.md @@ -1,3 +1,5 @@ +translating----geekpi + GETTING STARTED WITH ANSIBLE ========== From 6f1b41b94b297802ff0698f20ccdbb3482800433 Mon Sep 17 00:00:00 2001 From: timeszoro Date: Fri, 30 Dec 2016 12:21:24 +0800 Subject: [PATCH 111/181] Update 20161216 Kprobes Event Tracing on ARMv8.md --- sources/tech/20161216 Kprobes Event Tracing on ARMv8.md | 1 + 1 file changed, 1 insertion(+) diff --git a/sources/tech/20161216 Kprobes Event Tracing on ARMv8.md b/sources/tech/20161216 Kprobes Event Tracing on ARMv8.md index cb8ef32640..97b70e4b97 100644 --- a/sources/tech/20161216 Kprobes Event Tracing on ARMv8.md +++ b/sources/tech/20161216 Kprobes Event Tracing on ARMv8.md @@ -1,5 +1,6 @@ # Kprobes Event Tracing on ARMv8 +Timeszoro Translating ![core-dump](http://www.linaro.org/wp-content/uploads/2016/02/core-dump.png) From e99b663128ab29ca7f2ed8831dfbc9e944668854 Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 13:53:02 +0800 Subject: [PATCH 112/181] translated --- .../20161005 GETTING STARTED WITH ANSIBLE.md | 604 ------------------ .../20161005 GETTING STARTED WITH ANSIBLE.md | 603 +++++++++++++++++ 2 files changed, 603 insertions(+), 604 deletions(-) delete mode 100644 sources/tech/20161005 GETTING STARTED WITH ANSIBLE.md create mode 100644 translated/tech/20161005 GETTING STARTED WITH ANSIBLE.md diff --git a/sources/tech/20161005 GETTING STARTED WITH ANSIBLE.md b/sources/tech/20161005 GETTING STARTED WITH ANSIBLE.md deleted file mode 100644 index c8d61e9147..0000000000 --- a/sources/tech/20161005 GETTING STARTED WITH ANSIBLE.md +++ /dev/null @@ -1,604 +0,0 @@ -translating----geekpi - -GETTING STARTED WITH ANSIBLE -========== - - -This is a crash course on Ansible that you can also use as a template for small projects or to get you into this awesome tool. By the end of this guide, you will know enough to automate server configurations, deployments and more. - -### What is Ansible and why you should care ? - -Ansible is a configuration management system known for its simplicity. You only need ssh access to your servers or equipment. It also differs from other options because it pushes changes instead of pulling like puppet or chef normally do. You can deploy code to any number of servers, configure network equipment or automate anything in your infrastructure. - -#### Requirements - -It’s assumed that you are using Mac or Linux as your workstation, Ubuntu Trusty for your servers and have some experience installing packages. Also, you will need the following software on your computer. So, if you don’t have them already, go ahead and install: - -- Virtualbox -- Vagrant -- Mac users: Homebrew - -#### Scenario -We are going to emulate 2 web application servers connecting to a MySQL database. The web application uses Rails 5 with Puma. - -### Preparations - -#### Vagrantfile - -Create a folder for this project and save the following content in a file called: Vagrantfile - -``` -VMs = [ - [ "web1", "10.1.1.11"], - [ "web2", "10.1.1.12"], - [ "dbserver", "10.1.1.21"], - ] - -Vagrant.configure(2) do |config| - VMs.each { |vm| - config.vm.define vm[0] do |box| - box.vm.box = "ubuntu/trusty64" - box.vm.network "private_network", ip: vm[1] - box.vm.hostname = vm[0] - box.vm.provider "virtualbox" do |vb| - vb.memory = "512" - end - end - } -end -``` - -### Configure your virtual network - -We want our VMs to talk to each other, but don’t let that traffic go out to your real network, so we are going to create aHost-Only adapter in Virtualbox. - -1. Open Virtualbox -2. Go to Preferences -3. Go to Network -4. Click on Host-Only networks -5. Click to add a network -6. Click on Adapter -7. Set IPv4 to 10.1.1.1, IPv4 Network Mark: 255.255.255.0 -8. Click Ok - -#### Test your VMs and virtual network - -In a terminal, in the directory for this project where you have the Vagrantfile, type the following command: - -``` -vagrant up -``` - -This will create your VMs so it may take a while. Check that everything worked by typing this command and verifying the output: - -``` -$ vagrant status -Current machine states: - -web1 running (virtualbox) -web2 running (virtualbox) -master running (virtualbox) - -This environment represents multiple VMs. The VMs are all listed -above with their current state. For more information about a specific -VM, run `vagrant status NAME`. -``` - -Now log into each one of the VMs using user & password vagrant and the IPs in the Vagrantfile, this will validate the VMs and add their keys to your known hosts file. - -``` -ssh vagrant@10.1.1.11 # password is `vagrant` -ssh vagrant@10.1.1.12 -ssh vagrant@10.1.1.21 -``` - -Congratulations! Now you have servers to play with. Here comes the exiting part! - -### Install Ansible - -For Mac users: - -``` -$ brew install ansible -``` - -For Ubuntu users: - -``` -$ sudo apt install ansible -``` - -Make sure you got a recent version of ansible that is 2.1 or superior: - -``` -$ ansible --version -ansible 2.1.1.0 -``` - -### The Inventory - -Ansible uses an inventory to know what servers to work with and how to group them to perform tasks(in parallel). Let’s create our inventory for this project and name it inventory in the same folder as the Vagrantfile: - -``` -[all:children] -webs -db - -[all:vars] -ansible_user=vagrant -ansible_ssh_pass=vagrant - -[webs] -web1 ansible_host=10.1.1.11 -web2 ansible_host=10.1.1.12 - -[db] -dbserver ansible_host=10.1.1.21 -``` - -- `[all:children]` defines a group(all) of groups -- `[all:vars]` defines variables that belong to the group all -- `[webs]` defines a group just like [dbs] -- The rest of the file is just declarations of hosts, with their names and IPs -- A blank line means end of a declaration - -Now that we have an inventory we can start using ansible from the command line, specifying a host or a group to perform commands. Here is a typical example of a command to check connectivity to your servers: - -``` -$ ansible -i inventory all -m ping -``` - -- `-i` specifies the inventory file -- `all` specifies the server or group of servers to operate -- `-m` specifies an ansible module, in this case ping - -Here is the output of this command: - -``` -dbserver | SUCCESS => { - "changed": false, - "ping": "pong" -} -web1 | SUCCESS => { - "changed": false, - "ping": "pong" -} -web2 | SUCCESS => { - "changed": false, - "ping": "pong" -} -``` - -Note that servers respond with a different order. This only depends on who responds first, but is not relevant, because ansible keeps the status of each server separate. - -You can also run any command using another switch: - -- `-a ` - -``` -$ ansible -i inventory all -a uptime -web1 | SUCCESS | rc=0 >> - 21:43:27 up 25 min, 1 user, load average: 0.00, 0.01, 0.05 - -dbserver | SUCCESS | rc=0 >> - 21:43:27 up 24 min, 1 user, load average: 0.00, 0.01, 0.05 - -web2 | SUCCESS | rc=0 >> - 21:43:27 up 25 min, 1 user, load average: 0.00, 0.01, 0.05 -``` - -Here is another example with only one server: - -``` -$ ansible -i inventory dbserver -a "df -h /" -dbserver | SUCCESS | rc=0 >> -Filesystem Size Used Avail Use% Mounted on -/dev/sda1 40G 1.4G 37G 4% / -``` - -### Playbooks - -Playbooks are just YAML files that associate groups of servers in an inventory with commands. The correct word in ansible is tasks, and it can be a desired state, a shell command, or many other options. For a list of all the things you can do with ansible take a look at the list of all modules. - -Here is an example of a playbook for running a shell command, save this as playbook1.yml: - -``` ---- -- hosts: all - tasks: - - shell: uptime -``` - -- `---` is the start of the YAML file -- `- hosts`: specifies what group is going to be used -- `tasks`: marks the start of a list of tasks -- `- shell`: specifies the first task using the shell module -- REMEMBER: YAML requires indentation so make sure you are always following the correct structure in your playbooks - -Run it with: - -``` -$ ansible-playbook -i inventory playbook1.yml - -PLAY [all] ********************************************************************* - -TASK [setup] ******************************************************************* -ok: [web1] -ok: [web2] -ok: [dbmaster] - -TASK [command] ***************************************************************** -changed: [web1] -changed: [web2] -changed: [dbmaster] - -PLAY RECAP ********************************************************************* -dbmaster : ok=2 changed=1 unreachable=0 failed=0 -web1 : ok=2 changed=1 unreachable=0 failed=0 -web2 : ok=2 changed=1 unreachable=0 failed=0 -``` - -As you can see ansible ran 2 tasks, instead of just one we have in our playbook. The TASK [setup] is an implicit task that runs first to capture information of the servers like hostnames, IPs, distributions, and many more details, that information can then be used to run conditional tasks. - -There is also a final PLAY RECAP where ansible shows how many tasks ran and the corresponding state for each. In our case, since we ran a shell command, ansible doesn’t know the resulting state and it’s then considered as changed. - - -### Installing Software - -We are going to use apt to install software on our servers, for this we need to be root, so we have to use the become statement, save this content in playbook2.yml and run it(ansible-playbook playbook2.yml): - -``` ---- -- hosts: webs - become_user: root - become: true - tasks: - - apt: name=git state=present -``` - -There are statements you can apply to all modules in ansible; one is the name statement that let’s you print a more descriptive text about the task being executed. In order to use it you keep your task the same but add name: descriptive text as the first line, so our previous text will be: - -``` ---- -- hosts: webs - become_user: root - become: true - tasks: - - name: This task will make sure git is present on the system - apt: name=git state=present -``` - -### Using `with_items` - -When you are dealing with a list of items, packages to install, files to create, etc. ansible provides with_items. Here is how we use it in our playbook3.yml, adding at the same time some other statements we already know: - -``` ---- -- hosts: all - become_user: root - become: true - tasks: - - name: Installing dependencies - apt: name={{item}} state=present - with_items: - - git - - mysql-client - - libmysqlclient-dev - - build-essential - - python-software-properties -``` - -### Using `template` and `vars` - -`vars` is one statement that defines variables you can use either in `task` statements or inside `template` files. Jinja2 is the templating engine used in Ansible, but you don’t need to learn a lot about it to use it. Define variables in your playbook like this: - -``` ---- -- hosts: all - vars: - - secret_key: VqnzCLdCV9a3jK - - path_to_vault: /opt/very/deep/path - tasks: - - name: Setting a configuration file using template - template: src=myconfig.j2 dest={{path_to_vault}}/app.conf -``` - -As you can see I can use {{path_to_vault}} as part of the playbook, but also since I am using a template statement, I can use any variable inside the myconfig.j2 file, which has to be stored in a subfolder called templates. Your project tree should look like: - -``` -├── Vagrantfile -├── inventory -├── playbook1.yml -├── playbook2.yml -└── templates - └── myconfig.j2 -``` - -When ansible finds a template statement it will look into the templates folder and expand the variables surrounded by{{ and }}. - -Example template: - -``` -this is just an example vault_dir: {{path_to_vault}} secret_password: {{secret_key}} -``` - -You can also use `template` even if you are not expanding variables. I do this in advance considering I may add them later. For example, let’s create a `hosts.j2` template and add the hostnames and IPs: - -``` -10.1.1.11 web1 -10.1.1.12 web2 -10.1.1.21 dbserver -``` - -This will require a statement like this: - -``` - - name: Installing the hosts file in all servers - template: src=hosts.j2 dest=/etc/hosts mode=644 -``` - -### Shell commands - -You should always try to use modules because Ansible can track the state of the task and avoid repeating it unnecessarily, but there are times when a shell command is unavoidable. For those cases Ansible offers two options: - -- command: Literally just running a command without environment variables or redirections (|, <, >, etc.) -- shell: Runs /bin/sh and expands variables and redirections - -#### Other useful modules - -- apt_repository – Add/Remove package repositories in Debian family -- yum_repository – Add/Remove package repositories in RedHat family -- service – Start/Stop/Restart/Enable/Disable services -- git – Deploy code from a git server -- unarchive – Unarchive packages from the web or local sources - -#### Running a task only in one server - -Rails uses `migrations` to make gradual changes to your DB, but since you have more than one app server, these migrations can not be assigned as a group task, instead we need only one server to run the migrations. In cases like this is when run_once is used, run_once will delegate the task to one server and continue with the next task until this task is done. You only need to set run_once: true in your task. - -``` - - name: 'Run db:migrate' - shell: cd {{appdir}};rails db:migrate - run_once: true -``` - -##### Tasks that can fail - -By specifying ignore_errors: true you can run a task that may fail but doesn’t affect the completion of the rest of your playbook. This is useful, for example, when deleting a log file that initially will not exist. - -``` - - name: 'Delete logs' - shell: rm -f /var/log/nginx/errors.log - ignore_errors: true -``` - -##### Putting it all together - -Now using what we previously learned, here is the final version of each file: - -Vagrantfile: - -``` -VMs = [ - [ "web1", "10.1.1.11"], - [ "web2", "10.1.1.12"], - [ "dbserver", "10.1.1.21"], - ] - -Vagrant.configure(2) do |config| - VMs.each { |vm| - config.vm.define vm[0] do |box| - box.vm.box = "ubuntu/trusty64" - box.vm.network "private_network", ip: vm[1] - box.vm.hostname = vm[0] - box.vm.provider "virtualbox" do |vb| - vb.memory = "512" - end - end - } -end -``` - -inventory: - -``` -[all:children] -webs -db - -[all:vars] -ansible_user=vagrant -ansible_ssh_pass=vagrant - -[webs] -web1 ansible_host=10.1.1.11 -web2 ansible_host=10.1.1.12 - -[db] -dbserver ansible_host=10.1.1.21 -``` - -templates/hosts.j2: - -``` -10.1.1.11 web1 -10.1.1.12 web2 -10.1.1.21 dbserver -``` - -templates/my.cnf.j2: - -``` -[client] -port = 3306 -socket = /var/run/mysqld/mysqld.sock - -[mysqld_safe] -socket = /var/run/mysqld/mysqld.sock -nice = 0 - -[mysqld] -server-id = 1 -user = mysql -pid-file = /var/run/mysqld/mysqld.pid -socket = /var/run/mysqld/mysqld.sock -port = 3306 -basedir = /usr -datadir = /var/lib/mysql -tmpdir = /tmp -lc-messages-dir = /usr/share/mysql -skip-external-locking -bind-address = 0.0.0.0 -key_buffer = 16M -max_allowed_packet = 16M -thread_stack = 192K -thread_cache_size = 8 -myisam-recover = BACKUP -query_cache_limit = 1M -query_cache_size = 16M -log_error = /var/log/mysql/error.log -expire_logs_days = 10 -max_binlog_size = 100M - -[mysqldump] -quick -quote-names -max_allowed_packet = 16M - -[mysql] - -[isamchk] -key_buffer = 16M - -!includedir /etc/mysql/conf.d/ - -final-playbook.yml: - -- hosts: all - become_user: root - become: true - tasks: - - name: 'Install common software on all servers' - apt: name={{item}} state=present - with_items: - - git - - mysql-client - - libmysqlclient-dev - - build-essential - - python-software-properties - - name: 'Install hosts file' - template: src=hosts.j2 dest=/etc/hosts mode=644 - -- hosts: db - become_user: root - become: true - tasks: - - name: 'Software for DB server' - apt: name={{item}} state=present - with_items: - - mysql-server - - percona-xtrabackup - - mytop - - mysql-utilities - - name: 'MySQL config file' - template: src=my.cnf.j2 dest=/etc/mysql/my.cnf - - name: 'Restart MySQL' - service: name=mysql state=restarted - - name: 'Grant access to web app servers' - shell: echo 'GRANT ALL PRIVILEGES ON *.* TO "root"@"%" WITH GRANT OPTION;FLUSH PRIVILEGES;'|mysql -u root mysql - -- hosts: webs - vars: - - appdir: /opt/dummyapp - become_user: root - become: true - tasks: - - name: 'Add ruby-ng repo' - apt_repository: repo='ppa:brightbox/ruby-ng' - - name: 'Install rails software' - apt: name={{item}} state=present - with_items: - - ruby-dev - - ruby-all-dev - - ruby2.2 - - ruby2.2-dev - - ruby-switch - - libcurl4-openssl-dev - - libssl-dev - - zlib1g-dev - - nodejs - - name: 'Set ruby to 2.2' - shell: ruby-switch --set ruby2.2 - - name: 'Install gems' - shell: gem install bundler rails - - name: 'Kill puma if running' - shell: file /run/puma.pid >/dev/null && kill `cat /run/puma.pid` 2>/dev/null - ignore_errors: True - - name: 'Clone app repo' - git: - repo=https://github.com/c0d5x/rails_dummyapp.git - dest={{appdir}} - version=staging - force=yes - - name: 'Run bundler' - shell: cd {{appdir}};bundler - - name: 'Run db:setup' - shell: cd {{appdir}};rails db:setup - run_once: true - - name: 'Run db:migrate' - shell: cd {{appdir}};rails db:migrate - run_once: true - - name: 'Run rails server' - shell: cd {{appdir}};rails server -b 0.0.0.0 -p 80 --pid /run/puma.pid -d -``` - -### Turn up your environment - -Having these files in the same directory, turn up your dev environment by running: - -``` -vagrant up -ansible-playbook -i inventory final-playbook.yml -``` - -#### Deployment of new code - -Make changes to your code and push those changes to your repo. Then, simply make sure you have the correct branch in your git statement: - -``` - - name: 'Clone app repo' - git: - repo=https://github.com/c0d5x/rails_dummyapp.git - dest={{appdir}} - version=staging - force=yes -``` - -As an example, you can change the version field with master, run the playbook again: - -``` -ansible-playbook -i inventory final-playbook.yml -``` - -Check that the page has changed on any of the web servers: `http://10.1.1.11` or `http://10.1.1.12`. Change it back to `version=staging` and rerun the playbook and check the page again. - -You can also create an alternative playbook that has only the tasks related to the deployment so that it runs faster. - -### What is next !? - -This is a very small portion of what ansible can do. We didn’t touch roles, filters, debugor many other awesome features that it offers, but hopefully it gives you a good start! So, go ahead and start using it and learn as you go. If you have any questions you can reach me on twitter or comment below and let me know what else you’d like to find out about ansible! - - --------------------------------------------------------------------------------- - -via: https://gorillalogic.com/blog/getting-started-with-ansible/?utm_source=webopsweekly&utm_medium=email - -作者:[JOSE HIDALGO][a] - -译者:[译者ID](https://github.com/译者ID) - -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: https://gorillalogic.com/author/josehidalgo/ diff --git a/translated/tech/20161005 GETTING STARTED WITH ANSIBLE.md b/translated/tech/20161005 GETTING STARTED WITH ANSIBLE.md new file mode 100644 index 0000000000..ca1cd08cc2 --- /dev/null +++ b/translated/tech/20161005 GETTING STARTED WITH ANSIBLE.md @@ -0,0 +1,603 @@ +开始使用Ansible +========== + + +这是一篇关于 Ansible 的课程,你也可以用来作小项目的模板,或者继续深入这个工具。在本指南的最后,你将了解足够的自动化服务器配置、部署等。 + +### Ansible 是什么,为什么你该了解? + +Ansible是一个简单的配置管理系统。你只需要访问你的服务器或设备的ssh。它也不同于其他工具,因为它使用push的方式,而不是像chef那样使用pull的方式。你可以将代码部署到任意数量的服务器上,配置网络设备或在基础架构中自动执行任何操作。 + +#### 要求 + +假设你使用 Mac 或 Linux 作为你的工作站,Ubuntu Trusty为你的服务器,并有一些安装软件包的经验。此外,你的计算机上将需要以下软件。所以,如果你还没有它们,请先安装: + +- Virtualbox +- Vagrant +- Mac 用户: Homebrew + +#### 情景 +我们将模拟2个连接到MySQL数据库的Web应用程序服务器。Web应用程序使用Rails 5和Puma。 + +### 准备 + +#### Vagrantfile + +为这个项目创建一个文件夹并将下面的内容保存到:Vagrantfile + +``` +VMs = [ + [ "web1", "10.1.1.11"], + [ "web2", "10.1.1.12"], + [ "dbserver", "10.1.1.21"], + ] + +Vagrant.configure(2) do |config| + VMs.each { |vm| + config.vm.define vm[0] do |box| + box.vm.box = "ubuntu/trusty64" + box.vm.network "private_network", ip: vm[1] + box.vm.hostname = vm[0] + box.vm.provider "virtualbox" do |vb| + vb.memory = "512" + end + end + } +end +``` + +### 配置你的虚拟网络 + +我们希望我们的虚拟机能互相交互,但不要让流量流出到真实的网络,所以我们将在Virtualbox中创建一个仅在主机的网络适配器。 + +1. 打开 Virtualbox +2. 转到 Preferences +3. 转到 Network +4. 单击 Host-Only +5. 单击添加网络 +6. 单击 Adapter +7. 将IPv4设置为 10.1.1.1,IPv4网络掩码:255.255.255.0 +8. 单击 “OK” + +#### 测试虚拟机及虚拟网络 + +在终端中,在具有Vagrantfile的目录中,输入下面的命令: + +``` +vagrant up +``` + +这回创建你的虚拟机,因此会花费一会时间。输入下面的命令并验证输出来检查是否已经工作: + +``` +$ vagrant status +Current machine states: + +web1 running (virtualbox) +web2 running (virtualbox) +master running (virtualbox) + +This environment represents multiple VMs. The VMs are all listed +above with their current state. For more information about a specific +VM, run `vagrant status NAME`. +``` + +现在使用用户名和密码为vagrant,Vagrantfile中的IP登录其中一台虚拟机,这将验证虚拟机并将它们的密钥添加到你的已知主机文件中。 + + +``` +ssh vagrant@10.1.1.11 # password is `vagrant` +ssh vagrant@10.1.1.12 +ssh vagrant@10.1.1.21 +``` + +恭喜你!现在你已经有可以实验的服务器了。下面的剩下的部分! + +### 安装 Ansible + +对于 Mac 用户: + +``` +$ brew install ansible +``` + +对于 Ubuntu 用户: + +``` +$ sudo apt install ansible +``` + +确保你使用了ansible最近的版本 2.1 或者更高的版本: + +``` +$ ansible --version +ansible 2.1.1.0 +``` + +### inventory + +Ansible 使用 inventory 来了解要使用的服务器,以及如何将它们分组以并行执行任务。让我们为这个项目创建我们的 inventory,并将 inventory 放在与 Vagrantfile 相同的文件夹中: + +``` +[all:children] +webs +db + +[all:vars] +ansible_user=vagrant +ansible_ssh_pass=vagrant + +[webs] +web1 ansible_host=10.1.1.11 +web2 ansible_host=10.1.1.12 + +[db] +dbserver ansible_host=10.1.1.21 +``` + +- `[all:children]` 定义一个组(all)的组 +- `[all:vars]` 定义属于组all的变量 +- `[webs]` 定义一个组,就像[dbs] +- 文件的其余部分只是主机的声明,带有它们的名称和IP +- 空行表示声明结束 + +现在我们有了一个inventory,我们可以从命令行开始使用 ansible,指定一个主机或一个组来执行命令。以下是检查与服务器的连接的命令示例: + +``` +$ ansible -i inventory all -m ping +``` + +- `-i` 指定inventory文件 +- `all` 指定要操作的服务器或服务器组 +- `-m' 指定一个ansible模块,在这种情况下为ping + +下面是命令输出: + +``` +dbserver | SUCCESS => { + "changed": false, + "ping": "pong" +} +web1 | SUCCESS => { + "changed": false, + "ping": "pong" +} +web2 | SUCCESS => { + "changed": false, + "ping": "pong" +} +``` + +服务器以不同的顺序响应,这只取决于谁先响应,但是这个没有相关,因为ansible独立保持每台服务器的状态。 + +你也可以使用另外一个选项运行任何命令: + +- `-a ` + +``` +$ ansible -i inventory all -a uptime +web1 | SUCCESS | rc=0 >> + 21:43:27 up 25 min, 1 user, load average: 0.00, 0.01, 0.05 + +dbserver | SUCCESS | rc=0 >> + 21:43:27 up 24 min, 1 user, load average: 0.00, 0.01, 0.05 + +web2 | SUCCESS | rc=0 >> + 21:43:27 up 25 min, 1 user, load average: 0.00, 0.01, 0.05 +``` + +这是只有一台服务器的另外一个例子: + +``` +$ ansible -i inventory dbserver -a "df -h /" +dbserver | SUCCESS | rc=0 >> +Filesystem Size Used Avail Use% Mounted on +/dev/sda1 40G 1.4G 37G 4% / +``` + +### Playbook + +Playbook 只是 YAML 文件,它将inventory中的服务器组与命令关联。ansible的正确用法是任务,它可以是期望的状态,shell 命令或许多其他选项。有关 ansible 可做的所有事情列表,可以查看所有模块的列表。 + +下面是一个运行 shell 命令的 playbook 示例,将其保存为 playbook1.yml: + +``` +--- +- hosts: all + tasks: + - shell: uptime +``` + +- `---` 是 YAML 文件的开始 +- ` - hosts`:指定要使用的组 +- `tasks`:标记任务列表的开始 +- ` - shell`:指定使用shell模块的第一个任务 +- 记住:YAML 需要缩进,确保你始终遵循playbook中的正确结构 + +用下面的命令运行它: + +``` +$ ansible-playbook -i inventory playbook1.yml + +PLAY [all] ********************************************************************* + +TASK [setup] ******************************************************************* +ok: [web1] +ok: [web2] +ok: [dbmaster] + +TASK [command] ***************************************************************** +changed: [web1] +changed: [web2] +changed: [dbmaster] + +PLAY RECAP ********************************************************************* +dbmaster : ok=2 changed=1 unreachable=0 failed=0 +web1 : ok=2 changed=1 unreachable=0 failed=0 +web2 : ok=2 changed=1 unreachable=0 failed=0 +``` + +正如你所见,ansible 运行了 2 个任务,而不是只有 playbook 中的一个。TASK [setup]是一个隐式任务,它会首先运行以捕获服务器的信息,如主机名、IP、分布和更多详细信息,然后可以使用该信息运行条件任务。 + +还有一个最后的PLAY RECAP,其中 ansible 显示了有多少个运行的任务以及每个对应的状态。在我们的例子中,因为我们运行了一个 shell 命令,ansible 不知道结果的状态,它被认为是 changed。 + + +### 安装软件 + +我们将使用 apt 在我们的服务器上安装软件,因为我们需要root,所以我们必须使用 become 语句,将这个内容保存在 playbook2.yml 中并运行它(ansible-playbook playbook2.yml): + +``` +--- +- hosts: webs + become_user: root + become: true + tasks: + - apt: name=git state=present +``` + +有可以应用于 ansible 中所有模块的语句; 一个是 name 语句,让我们可以打印关于正在执行的任务的更具描述性的文本。要使用它,任务还是一样,但是添加 name 字段:描述性文本作为第一行,所以我们以前的文本将是: + +``` +--- +- hosts: webs + become_user: root + become: true + tasks: + - name: This task will make sure git is present on the system + apt: name=git state=present +``` + +### 使用 `with_items` + +当你在处理一个项目列表、要安装的包、要创建的文件等时可以用 ansible 提供的 with_items。下面是我们如何在 playbook3.yml 中使用它,同时添加一些我们已经知道的其他语句: + +``` +--- +- hosts: all + become_user: root + become: true + tasks: + - name: Installing dependencies + apt: name={{item}} state=present + with_items: + - git + - mysql-client + - libmysqlclient-dev + - build-essential + - python-software-properties +``` + +### 使用 `template` 和 `vars` + +`vars` 是一个定义变量语句,可以在 `task` 语句或 `template` 文件中使用。 Jinja2 是 Ansible 中使用的模板引擎,但是关于它你不需要学习很多。在你的 playbook 中定义变量,如下所示: + +``` +--- +- hosts: all + vars: + - secret_key: VqnzCLdCV9a3jK + - path_to_vault: /opt/very/deep/path + tasks: + - name: Setting a configuration file using template + template: src=myconfig.j2 dest={{path_to_vault}}/app.conf +``` + +正如你看到的,我可以使用 {{path_to_vault}} 作为 playbook 的一部分,但也因为我使用了模板语句,我可以使用 myconfig.j2 中的任何变量,它必须存在一个名为 templates 的子文件夹中。你项目树应该如下所示: + +``` +├── Vagrantfile +├── inventory +├── playbook1.yml +├── playbook2.yml +└── templates + └── myconfig.j2 +``` + +当 ansible 找到一个模板语句后它会在模板文件夹内查找,并将把被“{{”和“}}”括起来的变量展开来。 + +示例模板: + +``` +this is just an example vault_dir: {{path_to_vault}} secret_password: {{secret_key}} +``` + +即使你不扩展变量你也可以使用`模板`。考虑到将来会添加所以我先做了。比如创建一个 `hosts.j2` 模板并加入主机名和IP。 + +``` +10.1.1.11 web1 +10.1.1.12 web2 +10.1.1.21 dbserver +``` + +这里要求像这样的语句: + +``` + - name: Installing the hosts file in all servers + template: src=hosts.j2 dest=/etc/hosts mode=644 +``` + +### shell 命令 + +你应该总是尝试使用模块,因为 Ansible 可以跟踪任务的状态,并避免不必要的重复,但有时 shell 命令是不可避免的。 对于这些情况,Ansible 提供两个选项: + +- command:直接运行一个命令,没有环境变量或重定向(|,<,>等) +- shell:运行 /bin/sh 并展开变量和重定向 + +#### 其他有用的模块 + +- apt_repository - Debian家族中添加/删除包仓库 +- yum_repository - RedHat系列中添加/删除包仓库 +- service - 启动/停止/重新启动/启用/禁用服务 +- git - 从git服务器部署代码 +- unarchive - 从Web或本地源解开软件包 + +#### 只在一台服务器中运行任务 + +Rails 使用 `migrations` 来逐步更改数据库,但由于你有多个应用程序服务器,因此这些迁移不能被分配为组任务,而只需要一个服务器来运行迁移。在这种情况下,当使用 run_once 时,run_once 将分派任务到一个服务器,并继续下一个任务,直到这个任务完成。你只需要在你的任务中设置 run_once:true。 + +``` + - name: 'Run db:migrate' + shell: cd {{appdir}};rails db:migrate + run_once: true +``` + +##### 会失败的任务 + +通过指定 ignore_errors:true,你可以运行可能会失败但不影响剩余 playbook 完成的任务。这是非常有用的,例如,当删除最初不存在的日志文件时。 + +``` + - name: 'Delete logs' + shell: rm -f /var/log/nginx/errors.log + ignore_errors: true +``` + +##### 放到一起 + +现在用我们先前学到的,这里是每个文件的最终版: + +Vagrantfile: + +``` +VMs = [ + [ "web1", "10.1.1.11"], + [ "web2", "10.1.1.12"], + [ "dbserver", "10.1.1.21"], + ] + +Vagrant.configure(2) do |config| + VMs.each { |vm| + config.vm.define vm[0] do |box| + box.vm.box = "ubuntu/trusty64" + box.vm.network "private_network", ip: vm[1] + box.vm.hostname = vm[0] + box.vm.provider "virtualbox" do |vb| + vb.memory = "512" + end + end + } +end +``` + +inventory: + +``` +[all:children] +webs +db + +[all:vars] +ansible_user=vagrant +ansible_ssh_pass=vagrant + +[webs] +web1 ansible_host=10.1.1.11 +web2 ansible_host=10.1.1.12 + +[db] +dbserver ansible_host=10.1.1.21 +``` + +templates/hosts.j2: + +``` +10.1.1.11 web1 +10.1.1.12 web2 +10.1.1.21 dbserver +``` + +templates/my.cnf.j2: + +``` +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +server-id = 1 +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +skip-external-locking +bind-address = 0.0.0.0 +key_buffer = 16M +max_allowed_packet = 16M +thread_stack = 192K +thread_cache_size = 8 +myisam-recover = BACKUP +query_cache_limit = 1M +query_cache_size = 16M +log_error = /var/log/mysql/error.log +expire_logs_days = 10 +max_binlog_size = 100M + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] + +[isamchk] +key_buffer = 16M + +!includedir /etc/mysql/conf.d/ + +final-playbook.yml: + +- hosts: all + become_user: root + become: true + tasks: + - name: 'Install common software on all servers' + apt: name={{item}} state=present + with_items: + - git + - mysql-client + - libmysqlclient-dev + - build-essential + - python-software-properties + - name: 'Install hosts file' + template: src=hosts.j2 dest=/etc/hosts mode=644 + +- hosts: db + become_user: root + become: true + tasks: + - name: 'Software for DB server' + apt: name={{item}} state=present + with_items: + - mysql-server + - percona-xtrabackup + - mytop + - mysql-utilities + - name: 'MySQL config file' + template: src=my.cnf.j2 dest=/etc/mysql/my.cnf + - name: 'Restart MySQL' + service: name=mysql state=restarted + - name: 'Grant access to web app servers' + shell: echo 'GRANT ALL PRIVILEGES ON *.* TO "root"@"%" WITH GRANT OPTION;FLUSH PRIVILEGES;'|mysql -u root mysql + +- hosts: webs + vars: + - appdir: /opt/dummyapp + become_user: root + become: true + tasks: + - name: 'Add ruby-ng repo' + apt_repository: repo='ppa:brightbox/ruby-ng' + - name: 'Install rails software' + apt: name={{item}} state=present + with_items: + - ruby-dev + - ruby-all-dev + - ruby2.2 + - ruby2.2-dev + - ruby-switch + - libcurl4-openssl-dev + - libssl-dev + - zlib1g-dev + - nodejs + - name: 'Set ruby to 2.2' + shell: ruby-switch --set ruby2.2 + - name: 'Install gems' + shell: gem install bundler rails + - name: 'Kill puma if running' + shell: file /run/puma.pid >/dev/null && kill `cat /run/puma.pid` 2>/dev/null + ignore_errors: True + - name: 'Clone app repo' + git: + repo=https://github.com/c0d5x/rails_dummyapp.git + dest={{appdir}} + version=staging + force=yes + - name: 'Run bundler' + shell: cd {{appdir}};bundler + - name: 'Run db:setup' + shell: cd {{appdir}};rails db:setup + run_once: true + - name: 'Run db:migrate' + shell: cd {{appdir}};rails db:migrate + run_once: true + - name: 'Run rails server' + shell: cd {{appdir}};rails server -b 0.0.0.0 -p 80 --pid /run/puma.pid -d +``` + +### 打开你的环境 + +将这些文件放在相同的目录,运行下面的命令打开你的开发环境: + +``` +vagrant up +ansible-playbook -i inventory final-playbook.yml +``` + +#### 部署新的代码 + +确保修改了代码并push到了仓库中。接下来,确保你git语句中有正确的分支: + +``` + - name: 'Clone app repo' + git: + repo=https://github.com/c0d5x/rails_dummyapp.git + dest={{appdir}} + version=staging + force=yes +``` + +作为一个例子,你可以在master上修改version字段,再次运行 playbook: + +``` +ansible-playbook -i inventory final-playbook.yml +``` + +检查所有的 web 服务器上的页面是否已更改:`http:// 10.1.1.11` 或 `http:// 10.1.1.12`。将其更改为 `version = staging` 并重新运行 playbook 并再次检查页面。 + +你还可以创建只包含与部署相关的任务的替代 playbook,以便其运行更快。 + +### 接下来是什么 ?! + +这只是可以做的很小一部分。我们没有接触角色、过滤器、调试器等许多其他很棒的功能,但我希望它给了你一个良好的开始!所以,请继续学习并使用它。如果你有任何问题,你可以在 twitter 或评论栏联系我,让我知道你还想知道哪些关于 ansible 的东西! + + +-------------------------------------------------------------------------------- + +via: https://gorillalogic.com/blog/getting-started-with-ansible/?utm_source=webopsweekly&utm_medium=email + +作者:[JOSE HIDALGO][a] + +译者:[译者ID](https://github.com/译者ID) + +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://gorillalogic.com/author/josehidalgo/ From 7ecc87055350a233d2b0e5eb6210847d020011b0 Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 13:54:01 +0800 Subject: [PATCH 113/181] modify translator --- translated/tech/20161005 GETTING STARTED WITH ANSIBLE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/translated/tech/20161005 GETTING STARTED WITH ANSIBLE.md b/translated/tech/20161005 GETTING STARTED WITH ANSIBLE.md index ca1cd08cc2..e118e56fa4 100644 --- a/translated/tech/20161005 GETTING STARTED WITH ANSIBLE.md +++ b/translated/tech/20161005 GETTING STARTED WITH ANSIBLE.md @@ -594,7 +594,7 @@ via: https://gorillalogic.com/blog/getting-started-with-ansible/?utm_source=webo 作者:[JOSE HIDALGO][a] -译者:[译者ID](https://github.com/译者ID) +译者:[geekpi](https://github.com/geekpi) 校对:[校对者ID](https://github.com/校对者ID) From b99ae171152355f9cc0655bae30e8cd07148b865 Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 13:59:50 +0800 Subject: [PATCH 114/181] translating --- sources/tech/20161012 Introduction to FirewallD on CentOS.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161012 Introduction to FirewallD on CentOS.md b/sources/tech/20161012 Introduction to FirewallD on CentOS.md index 9beba99e39..01000b2a15 100644 --- a/sources/tech/20161012 Introduction to FirewallD on CentOS.md +++ b/sources/tech/20161012 Introduction to FirewallD on CentOS.md @@ -1,3 +1,5 @@ +translating---geekpi + Introduction to FirewallD on CentOS ============================================================ From 5ad908d2c743ec48359c0fb8d33d1787ebcf99da Mon Sep 17 00:00:00 2001 From: Lv Feng Date: Fri, 30 Dec 2016 00:52:30 -0600 Subject: [PATCH 115/181] =?UTF-8?q?=E6=8F=90=E4=BA=A4=E5=8E=9F=E6=96=87?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ... To Install The PyCharm Python In Linux.md | 113 ++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 sources/tech/20160921 How To Install The PyCharm Python In Linux.md diff --git a/sources/tech/20160921 How To Install The PyCharm Python In Linux.md b/sources/tech/20160921 How To Install The PyCharm Python In Linux.md new file mode 100644 index 0000000000..2625cdeb02 --- /dev/null +++ b/sources/tech/20160921 How To Install The PyCharm Python In Linux.md @@ -0,0 +1,113 @@ +How To Install The PyCharm Python IDE In Linux +============================================ + +![][7] +### Introduction + +Linux is often seen from the outside world as an operating system for geeks and whilst this is a misnomer it is true that if you want to develop software then Linux provides a great environment for doing so. + +People new to programming often ask which programming language they should use and when it comes to Linux the choices are generally C, C++, Python, Java, PHP, Perl and Ruby On Rails. + +Many of the core Linux programs are written in C but outside the Linux world it isn't used as commonly as other languages such as Java and Python. + +Python and Java are both great choices because they are cross platform and therefore the programs you write for Linux will work on Windows and Macs as well. + +Whilst you can use any editor for developing Python applications you will find that your programming life will be so much easier if you use a good integrated development environment (IDE) consisting of an editor and a debugger. + +PyCharm is a cross platform editor developed by Jetbrains. If you come from a Windows development environment you will recognise Jetbrains as the company who produce the excellent product Resharper which is used to refactor your code, point out potential issues and automatically add statements such as when you use a class it will import it for you. + +This article will show you how to get PyCharm, install and run Pycharm within Linux + +### How To Get PyCharm + +You can get PyCharm by visiting [here][1] +There is a large download button in the centre of the screen. + +You have a choice of downloading the professional version or the community edition. If you are just getting into programming in Python then I recommend going for the community edition. + +However the professional version has some great features that shouldn't be overlooked if you intend to program professionally. + +### How To Install PyCharm + +The file that has been downloaded will be called something like pycharm-professional-2016.2.3.tar.gz. + +A file ending in "tar.gz" has been compressed using [the gzip tool][2] and has been archived using [tar][3] to keep the folder structure in one place. + +You can read this guide for more information about [extracting tar.gz files][4]. + +For quickness though all you have to do to extract the file is open a terminal and navigate to the folder the file has been downloaded to. + + ``` + cd ~/Downloads + ``` + +Now find out the name of the file you downloaded by running the following command: + + ``` + ls pycharm* + ``` + +To extract the file run the following command: + + ``` + tar -xvzf pycharm-professional-2016.2.3.tar.gz -C ~ + ``` + +Make sure you replace the name of the pycharm file with the one provided via the ls command. (i.e the filename you downloaded). + +The above command will put the PyCharm software in your home folder. + +### How To Run PyCharm + +To run PyCharm first navigate to your home folder: + + ``` + cd ~ + ``` + +Run the ls command to find the folder name + + ``` + ls + ``` + +When you have the file name navigate into the pycharm folder as follows: + + ``` + cd pycharm-2016.2.3/bin + ``` + +Finally to run PyCharm run the following command: + + ``` + sh pycharm.sh & + ``` + +If you are running a desktop environment such as GNOME, KDE, Unity, Cinnamon or any other modern desktop you will also be able to use the menu or dash for that desktop environment to find PyCharm. + +### Summary + +Now that PyCharm is installed you can start creating desktop applications, web applications and all manner of tools. + +If you want to learn how to program in Python then it is worth checking out this guide which shows the best places for [learning resources][5]. The article is geared more towards learning Linux than Python but the resources such as Pluralsight and Udemy provide access to really good course for Python. + +To find out what features are available in PyCharm [click here][6] for a full overview. It covers everything from creating a project to describing the user interface, debugging and code refactoring. + +----------------------------------------------------------------------------------------------------------- + +via: https://www.lifewire.com/how-to-install-the-pycharm-python-ide-in-linux-4091033 + +作者:[ Gary Newell][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.lifewire.com/gary-newell-2180098 +[1]:https://www.jetbrains.com/pycharm/ +[2]:https://www.lifewire.com/example-uses-of-the-linux-gzip-command-4078675 +[3]:https://www.lifewire.com/uses-of-linux-command-tar-2201086 +[4]:https://www.lifewire.com/extract-tar-gz-files-2202057 +[5]:https://www.lifewire.com/learn-linux-in-structured-manner-4061368 +[6]:https://www.lifewire.com/pycharm-the-best-linux-python-ide-4091045 +[7]:https://fthmb.tqn.com/ju1u-Ju56vYnXabPbsVRyopd72Q=/768x0/filters:no_upscale()/about/pycharmstart-57e2cb405f9b586c351a4cf7.png From deaf217a9d0416a496335dcfab95ae77eb1e038c Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 15:13:02 +0800 Subject: [PATCH 116/181] translated --- ...012 Introduction to FirewallD on CentOS.md | 411 ------------------ ...012 Introduction to FirewallD on CentOS.md | 406 +++++++++++++++++ 2 files changed, 406 insertions(+), 411 deletions(-) delete mode 100644 sources/tech/20161012 Introduction to FirewallD on CentOS.md create mode 100644 translated/tech/20161012 Introduction to FirewallD on CentOS.md diff --git a/sources/tech/20161012 Introduction to FirewallD on CentOS.md b/sources/tech/20161012 Introduction to FirewallD on CentOS.md deleted file mode 100644 index 01000b2a15..0000000000 --- a/sources/tech/20161012 Introduction to FirewallD on CentOS.md +++ /dev/null @@ -1,411 +0,0 @@ -translating---geekpi - -Introduction to FirewallD on CentOS -============================================================ - - -[FirewallD][4] is frontend controller for iptables used to implement persistent network traffic rules. It provides command line and graphical interfaces and is available in the repositories of most Linux distributions. Working with FirewallD has two main differences compared to directly controlling iptables: - -1. FirewallD uses _zones_ and _services_ instead of chain and rules. -2. It manages rulesets dynamically, allowing updates without breaking existing sessions and connections. - -> FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is **not** an iptables replacement. While iptables commands are still available to FirewallD, it’s recommended to use only FirewallD commands with FirewallD. - -This guide will introduce you to FirewallD, its notions of zones and services, and show you some basic configuration steps. - -### Installing and Managing FirewallD - -FirewallD is included by default with CentOS 7 and Fedora 20+ but it’s inactive. Controlling it is the same as with other systemd units. - -1. To start the service and enable FirewallD on boot: - - - ``` - sudo systemctl start firewalld - sudo systemctl enable firewalld - ``` - | - - To stop and disable it: - - - ``` - sudo systemctl stop firewalld - sudo systemctl disable firewalld - ``` - - -2. Check the firewall status. The output should say either `running` or `not running`. - - - ``` - sudo firewall-cmd --state - ``` - - -3. To view the status of the FirewallD daemon: - - - ``` - sudo systemctl status firewalld - ``` - - - Example output: - - - ``` - firewalld.service - firewalld - dynamic firewall daemon - Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled) - Active: active (running) since Wed 2015-09-02 18:03:22 UTC; 1min 12s ago - Main PID: 11954 (firewalld) - CGroup: /system.slice/firewalld.service - └─11954 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid - ``` - - -4. To reload a FirewallD configuration: - - - ``` - sudo firewall-cmd --reload - ``` - - -### Configuring FirewallD - -Firewalld is configured with XML files. Except for very specific configurations, you won’t have to deal with them and **firewall-cmd** should be used instead. - -Configuration files are located in two directories: - -* `/usr/lib/FirewallD` holds default configurations like default zones and common services. Avoid updating them because those files will be overwritten by each firewalld package update. -* `/etc/firewalld` holds system configuration files. These files will overwrite a default configuration. - -### Configuration Sets - -Firewalld uses two _configuration sets_: Runtime and Permanent. Runtime configuration changes are not retained on reboot or upon restarting FirewallD whereas permanent changes are not applied to a running system. - -By default, `firewall-cmd` commands apply to runtime configuration but using the `--permanent` flag will establish a persistent configuration. To add and activate a permanent rule, you can use one of two methods. - -1. Add the rule to both the permanent and runtime sets. - - - ``` - sudo firewall-cmd --zone=public --add-service=http --permanent - sudo firewall-cmd --zone=public --add-service=http - ``` - - -2. Add the rule to the permanent set and reload FirewallD. - - - ``` - sudo firewall-cmd --zone=public --add-service=http --permanent - sudo firewall-cmd --reload - ``` - - - > The reload command drops all runtime configurations and applies a permanent configuration. Because firewalld manages the ruleset dynamically, it won’t break an existing connection and session. - -### Firewall Zones - -Zones are pre-constructed rulesets for various trust levels you would likely have for a given location or scenario (e.g. home, public, trusted, etc.). Different zones allow different network services and incoming traffic types while denying everything else. After enabling FirewallD for the first time, _Public_will be the default zone. - -Zones can also be applied to different network interfaces. For example, with separate interfaces for both an internal network and the Internet, you can allow DHCP on an internal zone but only HTTP and SSH on external zone. Any interface not explicitly set to a specific zone will be attached to the default zone. - -To view the default zone: - - -``` -sudo firewall-cmd --get-default-zone -``` - - -To change the default zone: - -``` -sudo firewall-cmd --set-default-zone=internal -``` - - -To see the zones used by your network interface(s): - -``` -sudo firewall-cmd --get-active-zones -``` - - -Example output: - - -``` -public - interfaces: eth0 -``` - - -To get all configurations for a specific zone: - - -``` -sudo firewall-cmd --zone=public --list-all -``` - - -Example output: - - -``` -public (default, active) - interfaces: ens160 - sources: - services: dhcpv6-client http ssh - ports: 12345/tcp - masquerade: no - forward-ports: - icmp-blocks: - rich rules: -``` - -To get all configurations for all zones: - -``` -sudo firewall-cmd --list-all-zones -``` - - -Example output: - - -``` -block - interfaces: - sources: - services: - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: - - ... - -work - interfaces: - sources: - services: dhcpv6-client ipp-client ssh - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: -``` - - -### Working with Services - -FirewallD can allow traffic based on predefined rules for specific network services. You can create your own custom serivce rules and add them to any zone. The configuration files for the default supported services are located at `/usr/lib/firewalld/services` and user-created service files would be in `/etc/firewalld/services`. - -To view the default available services: - - -``` -sudo firewall-cmd --get-services -``` - - -As an example, to enable or disable the HTTP service: - - -``` -sudo firewall-cmd --zone=public --add-service=http --permanent -sudo firewall-cmd --zone=public --remove-service=http --permanent -``` - - -### Allowing or Denying an Arbitrary Port/Protocol - -As an example: Allow or disable TCP traffic on port 12345. - - -``` -sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent -sudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent -``` - - -### Port Forwarding - -The example rule below forwards traffic from port 80 to port 12345 on **the same server**. - - -``` -sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345 -``` - - -To forward a port to **a different server**: - -1. Activate masquerade in the desired zone. - - - ``` - sudo firewall-cmd --zone=public --add-masquerade - ``` - - -2. Add the forward rule. This example forwards traffic from local port 80 to port 8080 on _a remote server_ located at the IP address: 123.456.78.9. - - - ``` - sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9 - ``` - - -To remove the rules, substitute `--add` with `--remove`. For example: - - -``` -sudo firewall-cmd --zone=public --remove-masquerade -``` - - -### Constructing a Ruleset with FirewallD - -As an example, here is how you would use FirewallD to assign basic rules to your Linode if you were running a web server. - -1. Assign the _dmz_ zone as the default zone to eth0\. Of the default zones offered, dmz (demilitarized zone) is the most desirable to start with for this application because it allows only SSH and ICMP. - - - ``` - sudo firewall-cmd --set-default-zone=dmz - sudo firewall-cmd --zone=dmz --add-interface=eth0 - ``` - - -2. Add permanent service rules for HTTP and HTTPS to the dmz zone: - - - ``` - sudo firewall-cmd --zone=dmz --add-service=http --permanent - sudo firewall-cmd --zone=dmz --add-service=https --permanent - ``` - - -3. Reload FirewallD so the rules take effect immediately: - - - ``` - sudo firewall-cmd --reload - ``` - - - If you now run `firewall-cmd --zone=dmz --list-all`, this should be the output: - - - - ``` - dmz (default) - interfaces: eth0 - sources: - services: http https ssh - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: - ``` - - - This tells us that the **dmz** zone is our **default** which applies to the **eth0 interface**, all network **sources** and **ports**. Incoming HTTP (port 80), HTTPS (port 443) and SSH (port 22) traffic is allowed and since there are no restrictions on IP versioning, this will apply to both IPv4 and IPv6. **Masquerading** and **port forwarding** are not allowed. We have no **ICMP blocks**, so ICMP traffic is fully allowed, and no **rich rules**. All outgoing traffic is allowed. - -### Advanced Configuration - -Services and ports are fine for basic configuration but may be too limiting for advanced scenarios. Rich Rules and Direct Interface allow you to add fully custom firewall rules to any zone for any port, protocol, address and action. - -### Rich Rules - -Rich rules syntax is extensive but fully documented in the [firewalld.richlanguage(5)][5] man page (or see `man firewalld.richlanguage` in your terminal). Use `--add-rich-rule`, `--list-rich-rules` and `--remove-rich-rule` with firewall-cmd command to manage them. - -Here are some common examples: - -Allow all IPv4 traffic from host 192.168.0.14. - - -``` -sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept' -``` - - -Deny IPv4 traffic over TCP from host 192.168.1.10 to port 22. - - -``` -sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject' -``` - - -Allow IPv4 traffic over TCP from host 10.1.0.3 to port 80, and forward it locally to port 6532. - - -``` -sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532' -``` - - -Forward all IPv4 traffic on port 80 to port 8080 on host 172.31.4.2 (masquerade should be active on the zone). - - -``` -sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2' -``` - - -To list your current Rich Rules: - - -``` -sudo firewall-cmd --list-rich-rules -``` - - -### iptables Direct Interface - -For the most advanced usage, or for iptables experts, FirewallD provides a direct interface that allows you to pass raw iptables commands to it. Direct Interface rules are not persistent unless the `--permanent` is used. - -To see all custom chains or rules added to FirewallD: - - -``` -firewall-cmd --direct --get-all-chains -firewall-cmd --direct --get-all-rules -``` - - -Discussing iptables syntax details goes beyond the scope of this guide. If you want to learn more, you can review our [iptables guide][6]. - -### More Information - -You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials. - -* [FirewallD Official Site][1] -* [RHEL 7 Security Guide: Introduction to FirewallD][2] -* [Fedora Wiki: FirewallD][3] - --------------------------------------------------------------------------------- - -via: https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos - -作者:[ Linode][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos -[1]:http://www.firewalld.org/ -[2]:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Introduction_to_firewalld -[3]:https://fedoraproject.org/wiki/FirewallD -[4]:http://www.firewalld.org/ -[5]:https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.richlanguage.html -[6]:https://www.linode.com/docs/networking/firewalls/control-network-traffic-with-iptables diff --git a/translated/tech/20161012 Introduction to FirewallD on CentOS.md b/translated/tech/20161012 Introduction to FirewallD on CentOS.md new file mode 100644 index 0000000000..6a84431bc3 --- /dev/null +++ b/translated/tech/20161012 Introduction to FirewallD on CentOS.md @@ -0,0 +1,406 @@ +在CentOS 上介绍 FirewallD +============================================================ + + +[FirewallD][4] 是iptables的前端控制器,用于实现持久网络流量规则。它提供命令行和图形界面,在大多数Linux发行版的仓库中都有。与直接控制iptables相比,使用 FirewallD 有两个主要区别: + +1. FirewallD 使用 _zones_ 和 _services_ 而不是链式规则。 +2. 它动态管理规则集,允许更新而不破坏现有会话和连接。 + +> FirewallD是 iptables 的一个封装,允许更容易地管理 iptables 规则 - 它并*不是* iptables 的替代品。虽然 iptables 命令仍可用于 FirewallD,但建议仅在 FirewallD 中使用 FirewallD 命令。 + +本指南将向您介绍 FirewallD的 zone 和 service 的概念,以及一些基本的配置步骤。 + +### 安装与管理 FirewallD + +CentOS 7 和 Fedora 20+ 已经包含了 FirewallD 但是默认没有激活。像其他 systemd 单元那样控制它。 + +1. 启动服务,并在启动时启动该服务: + + + ``` + sudo systemctl start firewalld + sudo systemctl enable firewalld + ``` + + 要停止并禁用: + + + ``` + sudo systemctl stop firewalld + sudo systemctl disable firewalld + ``` + + +2. 检查firewall状态。输出应该是 `running` 或者 `not running`。 + + + ``` + sudo firewall-cmd --state + ``` + + +3. 要查看 FirewallD 守护进程的状态: + + + ``` + sudo systemctl status firewalld + ``` + + + 示例输出 + + + ``` + firewalld.service - firewalld - dynamic firewall daemon + Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled) + Active: active (running) since Wed 2015-09-02 18:03:22 UTC; 1min 12s ago + Main PID: 11954 (firewalld) + CGroup: /system.slice/firewalld.service + └─11954 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid + ``` + + +4. 重新加载 FirewallD 配置: + + + ``` + sudo firewall-cmd --reload + ``` + + +### 配置 FirewallD + +FirewallD 使用 XML 进行配置。除非是非常具体的配置,你不必处理它们,而应该使用 ** firewall-cmd **。 + +配置文件位于两个目录中: + +* `/usr/lib/FirewallD` 保存默认配置,如默认 zone 和公共 service。 避免更新它们,因为这些文件将被每个 firewalld 包更新覆盖。 +* `/etc/firewalld` 保存系统配置文件。 这些文件将覆盖默认配置。 + +### 配置集 + +FirewallD 使用两个_配置集_:Runtime 和 Permanent。 在重新启动或重新启动 FirewallD 时,不会保留运行时的配置更改,而永久更改不会应用于正在运行的系统。 + +默认情况下,`firewall-cmd` 命令适用于运行时配置,但使用 `--permanent` 标志将建立持久配置。要添加和激活永久性规则,你可以使用两种方法之一。 + +1. 将规则同时添加到 permanent 和 runtime 中。 + + + ``` + sudo firewall-cmd --zone=public --add-service=http --permanent + sudo firewall-cmd --zone=public --add-service=http + ``` + + +2. 将规则添加到 permanent 中并重新加载 FirewallD。 + + + ``` + sudo firewall-cmd --zone=public --add-service=http --permanent + sudo firewall-cmd --reload + ``` + + + > reload 命令会删除所有运行时配置并应用永久配置。因为firewalld 动态管理规则集,所以它不会破坏现有的连接和会话。 + +### Firewall Zone + +zone 是针对给定位置或场景(例如家庭、公共、受信任等)可能具有的各种信任级别的预构建规则集。不同的 zone 允许不同的网络服务和入站流量类型,而拒绝其他任何流量。 首次启用 FirewallD 后,_Public_ 将是默认 zone。 + +zone 也可以用于不同的网络接口。例如,对于内部网络和Internet的单独接口,你可以在内部 zone 上允许 DHCP,但在外部 zone 仅允许HTTP和SSH。未明确设置为特定区域的任何接口将添加到默认 zone。 + +要浏览默认的 zone: + + +``` +sudo firewall-cmd --get-default-zone +``` + + +要修改默认的 zone: + +``` +sudo firewall-cmd --set-default-zone=internal +``` + + +要查看你网络接口使用的 zone: + +``` +sudo firewall-cmd --get-active-zones +``` + + +示例输出: + + +``` +public + interfaces: eth0 +``` + + +要得到特定 zone 的所有配置: + + +``` +sudo firewall-cmd --zone=public --list-all +``` + + +示例输出: + + +``` +public (default, active) + interfaces: ens160 + sources: + services: dhcpv6-client http ssh + ports: 12345/tcp + masquerade: no + forward-ports: + icmp-blocks: + rich rules: +``` + +要得到所有 zone 的配置: + +``` +sudo firewall-cmd --list-all-zones +``` + + +示例输出: + +``` +block + interfaces: + sources: + services: + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: + + ... + +work + interfaces: + sources: + services: dhcpv6-client ipp-client ssh + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: +``` + + +### 与 Service 一起使用 + +FirewallD 可以根据特定网络服务的预定义规则允许相关流量。你可以创建自己的自定义系统规则,并将它们添加到任何 zone。 默认支持的服务的配置文件位于 `/usr/lib /firewalld/services`,用户创建的服务文件在`/etc/firewalld/services`中。 + +要查看默认的可用服务: + + +``` +sudo firewall-cmd --get-services +``` + + +比如,要启用或禁用 HTTP 服务: + + +``` +sudo firewall-cmd --zone=public --add-service=http --permanent +sudo firewall-cmd --zone=public --remove-service=http --permanent +``` + + +### 允许或者拒绝任意端口/协议 + +比如:允许或者禁用 12345 的 TCP 流量。 + + +``` +sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent +sudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent +``` + + +### 端口转发 + +下面是**在同一台服务器上**将 80 端口的流量转发到 12345 端口。 + +``` +sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345 +``` + + +要将端口转发到**另外一台服务器上**: + +1. 在需要的 zone 中激活 masquerade。 + + + ``` + sudo firewall-cmd --zone=public --add-masquerade + ``` + + +2. 添加转发规则。例子中是将 IP 地址为:123.456.78.9 的_远程服务器上_ 80 端口的流量转发到 8080 上。 + + + ``` + sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9 + ``` + + +要删除规则,用 `--remove` 替换 `--add`。比如: + + +``` +sudo firewall-cmd --zone=public --remove-masquerade +``` + + +### 用 FirewallD 构建规则集 + +例如,以下是如何使用 FirewallD 为你的 Linode 配置基本规则(如果您正在运行 web 服务器)。 + +1. 将eth0的默认 zone 设置为 _dmz_。 在提供的默认 zone 中,dmz(非军事区)是最适合开始这个程序的,因为它只允许SSH和ICMP。 + + + ``` + sudo firewall-cmd --set-default-zone=dmz + sudo firewall-cmd --zone=dmz --add-interface=eth0 + ``` + + +2. 为 HTTP 和 HTTPS 添加永久服务规则到 dmz zone 中: + + + ``` + sudo firewall-cmd --zone=dmz --add-service=http --permanent + sudo firewall-cmd --zone=dmz --add-service=https --permanent + ``` + + +3. 重新加载 FirewallD 让规则立即生效: + + + ``` + sudo firewall-cmd --reload + ``` + + + 如果你运行 `firewall-cmd --zone=dmz --list-all`, 会有下面的输出: + + + + ``` + dmz (default) + interfaces: eth0 + sources: + services: http https ssh + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: + ``` + + + 这告诉我们,**dmz** zone 是我们的**默认** zone,它被分配到 **eth0 接口**中所有网络的**源**和**端口**。 允许传入 HTTP(端口80)、HTTPS(端口443)和 SSH(端口22)的流量,并且由于没有 IP 版本控制的限制,这些适用于 IPv4 和 IPv6。 **不允许伪装**以及**端口转发**。 我们没有** ICMP 块**,所以 ICMP 流量是完全允许的,没有** rich 规则**。 允许所有出站流量。 + +### 高级配置 + +服务和端口适用于基本配置,但对于高级情景可能会太有限制。 rich 规则和 direct 接口允许你为任何端口、协议、地址和操作向任何 zone 添加完全自定义的防火墙规则。 + +### rich 规则 + +rich 规则的语法有很多,但都完整地记录在 [firewalld.richlanguage(5)][5] 的手册页中(或在终端中 `man firewalld.richlanguage`)。 使用 `--add-rich-rule`、`--list-rich-rules` 、 `--remove-rich-rule` 和 firewall-cmd 命令来管理它们。 + +这里有一些常见的例子: + +允许来自主机 192.168.0.14 的所有IPv4流量。 + + +``` +sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept' +``` + + +拒绝来自主机 192.168.1.10 到 22 端口的 IPv4 的 TCP 流量。 + + +``` +sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject' +``` + + +允许来自主机 10.1.0.3 到 80 端口的IPv4 的 TCP 流量,并将流量转发到 6532 端口上。 + + +``` +sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532' +``` + + +将主机 172.31.4.2 上 80 端口的 IPv4 流量转发到 8080 端口(需要在 zone 上激活 masquerade)。 + + +``` +sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2' +``` + + +列出你目前的 rich 规则: + + +``` +sudo firewall-cmd --list-rich-rules +``` + + +### iptables 的直接接口 + +对于最高级的使用,或对于 iptables 专家,FirewallD 提供了一个直接接口,允许你给它传递原始 iptables 命令。 直接接口规则不是持久的,除非使用 `--permanent`。 + +要查看添加到 FirewallD 的所有自定义链或规则: + + +``` +firewall-cmd --direct --get-all-chains +firewall-cmd --direct --get-all-rules +``` + + +讨论 iptables 的具体语法已经超出了这篇文章的范围。如果你想学习更多,你可以查看我们的 [iptables 指南][6]。 + +### 更多信息 + +你可以查阅以下资源以获取有关此主题的更多信息。虽然我们希望我们提供的是有效的,但是请注意,我们不能保证外部材料的准确性或及时性。 + +* [FirewallD 官方网站][1] +* [RHEL 7 安全指南:FirewallD 简介][2] +* [Fedora Wiki:FirewallD][3] + +-------------------------------------------------------------------------------- + +via: https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos + +作者:[Linode][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos +[1]:http://www.firewalld.org/ +[2]:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Introduction_to_firewalld +[3]:https://fedoraproject.org/wiki/FirewallD +[4]:http://www.firewalld.org/ +[5]:https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.richlanguage.html +[6]:https://www.linode.com/docs/networking/firewalls/control-network-traffic-with-iptables From 0572638b2c4a9e61ab2655710068209a11b27f32 Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 15:16:59 +0800 Subject: [PATCH 117/181] translating --- sources/tech/20161028 Inkscape: Adding some colour.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161028 Inkscape: Adding some colour.md b/sources/tech/20161028 Inkscape: Adding some colour.md index 36fba33dd9..bc8d432524 100644 --- a/sources/tech/20161028 Inkscape: Adding some colour.md +++ b/sources/tech/20161028 Inkscape: Adding some colour.md @@ -1,3 +1,5 @@ +translating---geekpi + ### [Inkscape: Adding some colour][1] ![inkscape-addingcolour](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-addingcolour-945x400.png) From ffaaf8a9b330122ceff55c63c264ad470312fdbc Mon Sep 17 00:00:00 2001 From: Flynn Date: Fri, 30 Dec 2016 15:16:38 +0800 Subject: [PATCH 118/181] translating --- .../tech/20160921 How To Install The PyCharm Python In Linux.md | 1 + 1 file changed, 1 insertion(+) diff --git a/sources/tech/20160921 How To Install The PyCharm Python In Linux.md b/sources/tech/20160921 How To Install The PyCharm Python In Linux.md index 2625cdeb02..39063d98b2 100644 --- a/sources/tech/20160921 How To Install The PyCharm Python In Linux.md +++ b/sources/tech/20160921 How To Install The PyCharm Python In Linux.md @@ -1,3 +1,4 @@ +ucasFL translating How To Install The PyCharm Python IDE In Linux ============================================ From b17b27e59ade002084dabf0c7b746fce3fc2745c Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Fri, 30 Dec 2016 15:59:54 +0800 Subject: [PATCH 119/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E5=AE=8C=E6=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对完毕 @geekpi,谢谢。 --- ...cent or Today’s Modified Files in Linux.md | 67 +++++++++---------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md b/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md index f77e55014b..7febcfb992 100644 --- a/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md +++ b/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md @@ -1,20 +1,20 @@ -如何在Linux中找出最近或今天被修改的文件 +如何在 Linux 中找出最近或今天被修改的文件 ============================================================ -在本文中,我们将解释两个简单的[命令行小贴士][5],它可以帮你列出今天的所有文件。 +在本文中,我们将解释两个简单的[命令行小贴士][5],它可以帮你只列出今天的所有文件。 -Linux用户在命令行上遇到的常见问题之一是[定位具有特定名称的文件][6],当你知道真实的文件名时可能会容易得多。 +Linux 用户在命令行上遇到的常见问题之一是[定位具有特定名称的文件][6],如果你知道确定的文件名则可能会容易得多。 -但是,假设你忘记了在白天早些时候创建的文件的名称(在你包含了数百个文件的`home`文件夹中),但你有急用。 +不过,假设你忘记了白天早些时候创建的文件的名称(在你包含了数百个文件的 `home` 文件夹中),但现在你有急用。 下面用不同的方式只[列出所有你今天创建或修改的文件][7](直接或间接)。 -1.使用[ls命令][8],你只能按如下所示在你的home文件夹中列出今天的文件,其中: +1.使用[ ls 命令][8],只列出你的 home 文件夹中今天的文件,其中: -1. `-a` - 列出所有文件,包括隐藏文件 -2. `-l` - 启用长列表格式 -3. `--time-style = FORMAT` - 显示指定FORMAT的时间 -4. `+%D` - 以%m/%d/%y格式显示/使用日期 +- `-a` - 列出所有文件,包括隐藏文件 +- `-l` - 启用长列表格式 +- `--time-style = FORMAT` - 显示指定 FORMAT 的时间 +- `+%D` - 以 %m/%d/%y (月/日/年)格式显示或使用日期 ``` # ls -al --time-style=+%D | grep 'date +%D' @@ -23,32 +23,31 @@ Linux用户在命令行上遇到的常见问题之一是[定位具有特定名 ![Find Recent Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Recent-Files-in-Linux.png) ][9] -在Linux中找出最近的文件 +*在Linux中找出最近的文件* -In addition, you can [sort the resultant list alphabetically][10] by including the `-X` flag: -此外,你使用可以`-X`标志来[按字母顺序对结果排序][10]: +此外,你使用可以 `-X` 标志来[按字母顺序对结果排序][10]: ``` # ls -alX --time-style=+%D | grep 'date +%D' ``` -你也可以使用`-S`标志来基于大小(大的优先)来排序: +你也可以使用 `-S` 标志来基于大小(由大到小)来排序: ``` # ls -alS --time-style=+%D | grep 'date +%D' ``` -2. 另外使用[find命令][11]会更灵活,并且提供比ls更多的选项,用于以下相同的目的。 +2. 另外,使用 [find 命令][11]会更灵活,并且提供比 ls 更多的选项,用于以下相同的目的。 -1. `-maxdepth`级别用于指定要执行搜索操作的起点(在这个情况下为当前目录)下的搜索层级(按子目录)。 -2. `-newerXY`,如果有问题的文件的时间戳X比引用文件的时间戳Y更新,那么这个就能用了。 X和Y表示以下任何字母: -     1. a - 文件引用的访问时间 -     2. B - 文件引用的创建时间 -     3. c - 文件引用的inode状态改变时间 -     4.m - 文件引用的修改时间 -     5. t - 引用直接解释为一个时间 +-  `-maxdepth` 级别用于指定搜索操作的起点(在这个情况下为当前目录)下的搜索层级(子目录层级数)。 +-  `-newerXY`,用于寻找时间戳 X 比参照文件的时间戳 Y 更新的文件。 X 和 Y 表示以下任何字母: +     - a - 参照文件的访问时间 +     - B - 参照文件的创建时间 +     - c - 参照文件的 inode 状态改变时间 +     - m - 参照文件的修改时间 +     - t - 直接指定一个绝对时间 -下面的命令意味着只有在2016-12-06修改的文件将被找出: +下面的命令意思是只找出 2016-12-06 这一天修改的文件: ``` # find . -maxdepth 1 -newermt "2016-12-06" @@ -57,16 +56,16 @@ In addition, you can [sort the resultant list alphabetically][10] by including ![Find Today's Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Files-in-Linux.png) ][12] -在Linux中找出今天的文件 +*在 Linux 中找出今天的文件* -重要:使参考上面的[find命令][13]中正确的日期格式,一旦你使用了错误的格式,你会得到如下错误: +重要:在上面的 [find 命令][13]中使用正确的**日期格式**作为参照时间,一旦你使用了错误的格式,你会得到如下错误: ``` # find . -maxdepth 1 -newermt "12-06-2016" find: I cannot figure out how to interpret '12-06-2016' as a date or time ``` -或者使用下面正确的格式: +或者,使用下面的正确格式: ``` # find . -maxdepth 1 -newermt "12/06/2016" @@ -77,20 +76,20 @@ find: I cannot figure out how to interpret '12-06-2016' as a date or time ![Find Todays Modified Files in Linux](http://www.tecmint.com/wp-content/uploads/2016/12/Find-Todays-Modified-Files.png) ][14] -在Linux中找出今天修改的文件 +*在 Linux 中找出今天修改的文件* -你可以在我们的下面一系列文章中获得`ls`和`find`命令的更多使用信息。 +你可以在我们的下面一系列文章中获得 `ls `和 `find` 命令的更多使用信息。 -1. [用15例子的掌握Linux ‘ls’ 命令][1] -2. [对Linux用户有用的7个奇怪的技巧][2] -3. [用35个例子掌握Linux ‘find’ 命令][3] -4. [在Linux中使用扩展查找多个文件名的方法][4] +- [用 15 例子的掌握 Linux ‘ls’ 命令][1] +- [对 Linux 用户有用的 7 个奇怪的技巧][2] +- [用 35 个例子掌握 Linux ‘find’ 命令][3] +- [在 Linux 中使用扩展查找多个文件名的方法][4] -在本文中,我们解释了如何使用ls和find命令帮助只列出今天的文件。 使用以下反馈栏向我们发送有关该主题的任何问题或意见。 你也可以提醒我们其他可以用于这个目的的命令。 +在本文中,我们解释了如何使用 ls 和 find 命令帮助只列出今天的文件。 请使用以下反馈栏向我们发送有关该主题的任何问题或意见。 你也可以提醒我们其他可以用于这个目的的命令。 -------------------------------------------------------------------------------- -作者简介:Aaron Kili是一名Linux和F.O.S.S的爱好者,将来的Linux系统管理员、网站开发人员,目前是TecMint的内容创作者,他喜欢用电脑工作,并坚信分享知识。 +作者简介:Aaron Kili是一名 Linux 和 F.O.S.S 的爱好者,未来的 Linux 系统管理员、网站开发人员,目前是 TecMint 的内容创作者,他喜欢用电脑工作,并乐于分享知识。 ------------------ @@ -98,7 +97,7 @@ via: http://www.tecmint.com/find-recent-modified-files-in-linux/ 作者:[Aaron Kili][a] 译者:[geekpi](https://github.com/geekpi) -校对:[校对者ID](https://github.com/校对者ID) +校对:[jasminepeng](https://github.com/jasminepeng) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From b060e71b7f1be8929fd016ae0337846d932a1638 Mon Sep 17 00:00:00 2001 From: geekpi Date: Fri, 30 Dec 2016 16:00:38 +0800 Subject: [PATCH 120/181] translated --- .../20161028 Inkscape: Adding some colour.md | 51 ------------------- ...Getting started with Inkscape on Fedora.md | 2 +- .../20161028 Inkscape: Adding some colour.md | 49 ++++++++++++++++++ 3 files changed, 50 insertions(+), 52 deletions(-) delete mode 100644 sources/tech/20161028 Inkscape: Adding some colour.md create mode 100644 translated/tech/20161028 Inkscape: Adding some colour.md diff --git a/sources/tech/20161028 Inkscape: Adding some colour.md b/sources/tech/20161028 Inkscape: Adding some colour.md deleted file mode 100644 index bc8d432524..0000000000 --- a/sources/tech/20161028 Inkscape: Adding some colour.md +++ /dev/null @@ -1,51 +0,0 @@ -translating---geekpi - -### [Inkscape: Adding some colour][1] - - ![inkscape-addingcolour](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-addingcolour-945x400.png) - -In our previous Inkscape article, [we covered the absolute basics of getting started with Inkscape][2] — installing, and how to create basic shapes and manipulate them. We also covered changing the colour of inkscape objects using the Palette. While the Palette is great for quickly changing the colour of your objects from a pre-defined list, most times you will need more control over the colours of your objects. This is where we use one of the most important dialogs in Inkscape — the Fill and Stroke dialog. - -**A quick note about the animations in this post: **some of the colours in the animations appear banded. This is just an artifact of the way the animations are created. When you try this out on Inkscape you will see nice smooth gradients of colour. - -### Using the Fill / Stroke dialog - -To open the Fill and Stroke dialog in Inkscape, choose `Object` > `Fill and Stroke` from the main menu. Once opened, the main three tabs of this dialog allow you to inspect and change the Fill colour, Stroke colour, and Stroke style of the currently selected object. - - ![open-fillstroke](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/open-fillstroke.gif) - -In Inkscape, the Fill is the main colour given to the body of an object. The stroke of the object is an optional outline of your object. The stroke of an object also has additional styles — configurable in the Stroke style tab — allowing you to change the thickness of the stroke, create a dotted outline, or add rounded corners to you stroke. In this next animation, I change the fill colour of the star, and then change the stroke colour, and tweak the thickness of the stroke: - - ![using-fillstroke](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/using-fillstroke.gif) - -### Adding and Editing a gradient - -A gradient can also be the Fill (or the stroke) of an object. To quickly set a gradient fill from the Fill and Stroke dialog, first choose the Fill tab, then pick the linear gradient option: - - ![create-gradient](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/create-gradient.gif) - -To edit our gradient further, we need to use the specialised Gradient Tool. Choose the Gradient tool from the toolbar, and some additional gradient editing handles will appear on your selected shape. **Moving the handles** around will change the positioning of the gradient. If you **click on an individual handle**, you can also change the colour of that handle in the Fill and Stroke dialog. To **add an additional stop in your gradient**, double click on the line connecting the handles, and a new handle will appear. - - ![editing-gradient](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/editing-gradient.gif) - -* * * - -That covers the basics of adding some more colour and gradients to your Inkscape drawings. The** Fill and Stroke dialog**also has many other options to explore, like pattern fills, different gradient styles, and many different stroke styles. Also check out the additional options in the **Tools control bar** for the **Gradient Tool** to see how you can tweak gradients in different ways too. - ------------------------ - -作者简介:Ryan is a designer that works on stuff for Fedora. He uses Fedora Workstation as his primary desktop, along with the best tools from the Libre Graphics world, notably, the vector graphics editor, Inkscape. - --------------------------------------------------------------------------------- - -via: https://fedoramagazine.org/inkscape-adding-colour/ - -作者:[Ryan Lerch][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: http://ryanlerch.id.fedoraproject.org/ -[1]:https://fedoramagazine.org/inkscape-adding-colour/ -[2]:https://fedoramagazine.org/getting-started-inkscape-fedora/ diff --git a/translated/tech/20161021 Getting started with Inkscape on Fedora.md b/translated/tech/20161021 Getting started with Inkscape on Fedora.md index 66170f8fa4..b6ea1ea148 100644 --- a/translated/tech/20161021 Getting started with Inkscape on Fedora.md +++ b/translated/tech/20161021 Getting started with Inkscape on Fedora.md @@ -71,7 +71,7 @@ sudo dnf install inkscape 现在你有一堆图形了,你使用选择工具来移动它们。要使用选择工具,首先从工具栏中选择它,然后单击要操作的形状,接着将图形拖动到您想要的位置。 -选择形状时,你还可以使用调整大小手柄来缩放图形。此外,如果你单击所选的图形,调整大小控点将变为旋转模式,并允许你旋转图形: +选择形状时,你还可以使用调整大小锚点来缩放图形。此外,如果你单击所选的图形,调整大小控点将变为旋转模式,并允许你旋转图形: [ ![inkscape-movingshapes](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-movingshapes.gif) diff --git a/translated/tech/20161028 Inkscape: Adding some colour.md b/translated/tech/20161028 Inkscape: Adding some colour.md new file mode 100644 index 0000000000..aead9d6dfb --- /dev/null +++ b/translated/tech/20161028 Inkscape: Adding some colour.md @@ -0,0 +1,49 @@ +### [Inkscape: 添加颜色][1] + + ![inkscape-addingcolour](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-addingcolour-945x400.png) + +在我们先前的 Inkscape 文章中,[我们介绍了 Inkscape 的基础][2] - 安装,以及如何创建基本形状及操作它们。我们还介绍了使用 Palette 更改 inkscape 对象的颜色。 虽然 Palette 对于从预定义列表快速更改对象颜色非常有用,但大多数情况下,你需要更好地控制对象的颜色。这是我们使用 Inkscape 中最重要的对话框之一 - “Fill and Stroke” 对话框。 + +**关于文章中的动画的说明:**动画中的一些颜色看起来有条纹。这只是一个创建动画的方式。当你在 Inkscape 尝试时,你会看到很好的平滑渐变的颜色。 + +### 使用 Fill / Stroke 对话框 + +要在 Inkscape 中打开“ Fill and Stroke ”对话框,请从主菜单中选择 “Object”>“Fill and Stroke”。打开后,此对话框中的三个选项卡允许你检查和更改当前选定对象的填充颜色,描边颜色和描边样式。 + + ![open-fillstroke](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/open-fillstroke.gif) + +在 Inkscape 中,Fill是给予对象主体主要颜色。对象的笔画是对象的可选轮廓。 对象的笔画还有其他样式 - 可在“笔触样式”选项卡中进行配置 - ,它允许您更改笔触的粗细,创建虚线轮廓或为笔触添加圆角。 在下面的动画中,我会改变星形的填充颜色,然后改变笔触颜色,并调整笔触的粗细: + + ![using-fillstroke](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/using-fillstroke.gif) + +### 添加并编辑渐变 + +渐变也可以是对象的填充(或者描边)。要从 “Fill and Stroke” 对话框快速设置渐变填充,请先选择 “Fill” 选项卡,然后选择线性渐变选项: + + ![create-gradient](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/create-gradient.gif) + +要进一步编辑我们的渐变,我们需要使用专门的“Gradient Tool”。 从工具栏中选择“Gradient Tool”,会有一些额外的渐变编辑锚点将出现在你选择的形状上。 **移动锚点**将改变渐变的位置。 如果你**单击一个锚点**,您还可以在“Fill and Stroke”对话框中更改该锚点的颜色。 要**在渐变中添加新的锚点**,请双击连接锚点的线,然后会出现一个新的锚点。 + + ![editing-gradient](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/editing-gradient.gif) + +* * * + +这篇包括在 Inkscape 图纸中添加一些颜色和渐变的基础知识。 **“Fill and Stroke”** 对话框还有许多其他选项可供探索,如图案填充,不同的渐变样式和许多不同的笔触样式。另外,查看**工具控制栏** 的 **Gradient Tool** 中的其他选项,看看如何以不同的方式调整渐变。 + +----------------------- + +作者简介:Ryan是一名 Fedora 设计师。他使用 Fedora Workstation 作为他的主要桌面,还有来自Libre Graphics 世界的最好的工具,尤其是矢量图形编辑器 Inkscape。 + +-------------------------------------------------------------------------------- + +via: https://fedoramagazine.org/inkscape-adding-colour/ + +作者:[Ryan Lerch][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: http://ryanlerch.id.fedoraproject.org/ +[1]:https://fedoramagazine.org/inkscape-adding-colour/ +[2]:https://fedoramagazine.org/getting-started-inkscape-fedora/ From b799b26efac1e3e92f3787681d10c039dbe53f6e Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Fri, 30 Dec 2016 16:10:11 +0800 Subject: [PATCH 121/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E5=AE=8C=E6=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 少许格式调整 --- ... How to Find Recent or Today’s Modified Files in Linux.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md b/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md index 7febcfb992..9c0df6385d 100644 --- a/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md +++ b/translated/tech/20161206 How to Find Recent or Today’s Modified Files in Linux.md @@ -9,7 +9,7 @@ Linux 用户在命令行上遇到的常见问题之一是[定位具有特定名 下面用不同的方式只[列出所有你今天创建或修改的文件][7](直接或间接)。 -1.使用[ ls 命令][8],只列出你的 home 文件夹中今天的文件,其中: +1. 使用[ ls 命令][8],只列出你的 home 文件夹中今天的文件,其中: - `-a` - 列出所有文件,包括隐藏文件 - `-l` - 启用长列表格式 @@ -25,6 +25,7 @@ Linux 用户在命令行上遇到的常见问题之一是[定位具有特定名 *在Linux中找出最近的文件* + 此外,你使用可以 `-X` 标志来[按字母顺序对结果排序][10]: ``` @@ -37,7 +38,7 @@ Linux 用户在命令行上遇到的常见问题之一是[定位具有特定名 # ls -alS --time-style=+%D | grep 'date +%D' ``` -2. 另外,使用 [find 命令][11]会更灵活,并且提供比 ls 更多的选项,用于以下相同的目的。 +2. 另外,使用 [find 命令][11]会更灵活,并且提供比 ls 更多的选项,可以实现相同的目的。 -  `-maxdepth` 级别用于指定搜索操作的起点(在这个情况下为当前目录)下的搜索层级(子目录层级数)。 -  `-newerXY`,用于寻找时间戳 X 比参照文件的时间戳 Y 更新的文件。 X 和 Y 表示以下任何字母: From ad3e860dde54aa61fff411f455e75a6b60ca2be5 Mon Sep 17 00:00:00 2001 From: wxy Date: Fri, 30 Dec 2016 16:39:16 +0800 Subject: [PATCH 122/181] PROOF:20161215 Building an Email Server on Ubuntu Linux - Part 2 @geekpi --- ...n Email Server on Ubuntu Linux - Part 2.md | 68 ++++++++----------- 1 file changed, 27 insertions(+), 41 deletions(-) diff --git a/translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 2.md b/translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 2.md index 7dc77cbec5..e982646542 100644 --- a/translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 2.md +++ b/translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 2.md @@ -1,55 +1,49 @@ -在Ubuntu上搭建一台Email服务器(二) +如何在 Ubuntu 环境下搭建邮件服务器(二) ============================================================ -### [dovecot-email.jpg][4] +![Dovecot email](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/dovecot-email.jpg?itok=tY4veggw "Dovecot email") - ![Dovecot email](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/dovecot-email.jpg?itok=tY4veggw "Dovecot email") -本教程的第2部分将介绍如何使用Dovecot将邮件从Postfix服务器移动到用户的收件箱。以[Creative Commons Zero][2]Pixabay方式授权发布 +本教程的第 2 部分将介绍如何使用 Dovecot 将邮件从 Postfix 服务器移动到用户的收件箱。以[Creative Commons Zero][2] 方式授权发布 -在[第一部分][5]中,我们安装并测试了Postfix SMTP服务器。Postfix或任何SMTP服务器都不是一个完整的邮件服务器,因为它所做的是在SMTP服务器之间移动邮件。我们需要Dovecot将邮件从Postfix服务器移动到用户的收件箱中。 +在[第一部分][5]中,我们安装并测试了 Postfix SMTP 服务器。Postfix 或任何 SMTP 服务器都不是一个完整的邮件服务器,因为它所做的只是在 SMTP 服务器之间移动邮件。我们需要 Dovecot 将邮件从 Postfix 服务器移动到用户的收件箱中。 -Dovecot支持两种标准邮件协议:IMAP(Internet邮件访问协议)和POP3(邮局协议)。 IMAP服务器保留服务器上的所有邮件。您的用户可以选择将邮件下载到计算机或仅在服务器上访问它们。 IMAP对于有多台机器的用户是方便的。但对你而言会有更多的工作,因为你必须确保你的服务器始终可用,而且IMAP服务器需要大量的存储和内存。 +Dovecot 支持两种标准邮件协议:IMAP(Internet 邮件访问协议)和 POP3(邮局协议)。 IMAP 服务器会在服务器上保留所有邮件。您的用户可以选择将邮件下载到计算机或仅在服务器上访问它们。 IMAP 对于有多台机器的用户是方便的。但对你而言需要更多的工作,因为你必须确保你的服务器始终可用,而且 IMAP 服务器需要大量的存储和内存。 -POP3是较旧的协议。POP3服务器可以比IMAP服务器服务更多的用户,因为邮件会下载到用户的计算机。大多数邮件客户端可以选择在服务器上保留一定天数的邮件,因此POP3的行为有点像IMAP。但它不是IMAP,当你像IMAP那样做那么常常会下载多次或意外删除。 +POP3 是较旧的协议。POP3 服务器可以比 IMAP 服务器服务更多的用户,因为邮件会下载到用户的计算机。大多数邮件客户端可以选择在服务器上保留一定天数的邮件,因此 POP3 的行为有点像 IMAP。但它又不是 IMAP,当你像 IMAP 那样(在多台计算机上使用它时)那么常常会下载多次或意外删除。 ### 安装 Dovecot -启动你信任的Ubuntu系统并安装Dovecot: +启动你的 Ubuntu 系统并安装 Dovecot: ``` - $ sudo apt-get install dovecot-imapd dovecot-pop3d ``` -它会在安装可用的配置并在完成后自动启动,你可以用`ps ax | grep dovecot`确认: +它会安装可用的配置,并在完成后自动启动,你可以用 `ps ax | grep dovecot` 确认: ``` - $ ps ax | grep dovecot 15988 ? Ss 0:00 /usr/sbin/dovecot 15990 ? S 0:00 dovecot/anvil 15991 ? S 0:00 dovecot/log ``` -打开你的Postfix配置文件`/etc/postfix/main.cf`,确保配置了maildirs而不是mbox邮件存储,mbox是对于每个用户的大文件,而maildir是每条消息都有一个文件。大量的小文件比一个庞大的文件更稳定且易于管理。下面添加两行,第二行告诉Postfix你需要maildir格式,并且在每个用户的家目录下创建一个`.Mail`目录。你可以取任何名字,不一定要是`.Mail`: +打开你的 Postfix 配置文件 `/etc/postfix/main.cf`,确保配置了maildir 而不是 mbox 的邮件存储方式,mbox 是给每个用户一个单一大文件,而 maildir 是每条消息都存储为一个文件。大量的小文件比一个庞大的文件更稳定且易于管理。添加如下两行,第二行告诉 Postfix 你需要 maildir 格式,并且在每个用户的家目录下创建一个 `.Mail` 目录。你可以取任何名字,不一定要是 `.Mail`: ``` - mail_spool_directory = /var/mail home_mailbox = .Mail/ ``` -现在调整你的Dovecot配置。首先把原始的`dovecot.conf`文件重命名,因为它会调用`conf.d`中的文件来让事情简单些: +现在调整你的 Dovecot 配置。首先把原始的 `dovecot.conf` 文件重命名放到一边,因为它会调用存放在 `conf.d` 中的文件,在你刚刚开始学习时把配置放一起更简单些: ``` - $ sudo mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot-oldconf ``` -现在创建一个新的`/etc/dovecot/dovecot.conf`: +现在创建一个新的 `/etc/dovecot/dovecot.conf`: ``` - disable_plaintext_auth = no mail_location = maildir:~/.Mail namespace inbox { @@ -74,30 +68,27 @@ userdb { } ``` -注意`mail_location = maildir` 必须和`main.cf`中的`home_mailbox`参数匹配。保存你的更改并重新加载Postfix和Dovecot配置: +注意 `mail_location = maildir` 必须和 `main.cf` 中的 `home_mailbox` 参数匹配。保存你的更改并重新加载 Postfix 和 Dovecot 配置: ``` - $ sudo postfix reload $ sudo dovecot reload ``` ### 快速导出配置 -使用下面的命令来查看你的Postfix和Dovecot配置: +使用下面的命令来快速查看你的 Postfix 和 Dovecot 配置: ``` - $ postconf -n $ doveconf -n ``` ### 测试 Dovecot -现在再次启动telnet,并且给自己发送一条测试消息。粗体显示的是你输入的命令。`studio`是我服务器的主机名,因此你必须用自己的: +现在再次启动 telnet,并且给自己发送一条测试消息。粗体显示的是你输入的命令。`studio` 是我服务器的主机名,因此你必须用自己的: ``` - $ telnet studio 25 Trying 127.0.1.1... Connected to studio. @@ -132,7 +123,7 @@ quit Connection closed by foreign host. ``` -现在请求Dovecot来取回你的新消息,使用你的Linux用户名和密码登录: +现在请求 Dovecot 来取回你的新消息,使用你的 Linux 用户名和密码登录: ``` @@ -173,12 +164,11 @@ quit Connection closed by foreign host. ``` -花一点时间比较第一个例子中输入的消息和第二个例子中接收的消息。 它很容易欺骗返回地址和日期,但Postfix不会这样。大多数邮件客户端默认显示一个最小的标头集,但是你需要读取完整的标头以查看真实的回溯。 +花一点时间比较第一个例子中输入的消息和第二个例子中接收的消息。 返回地址和日期是很容易伪造的,但 Postfix 不会被愚弄。大多数邮件客户端默认显示一个最小的标头集,但是你需要读取完整的标头才能查看真实的回溯。 -You can also read your messages by looking in your `~/Mail/cur` directory. They are plain text. Mine has two test messages: +你也可以在你的 `~/Mail/cur` 目录中查看你的邮件,它们是普通文本,我已经有两封测试邮件: ``` - $ ls .Mail/cur/ 1480540325.V806I28e0229M351743.studio:2,S 1480555224.V806I28e000eM41463.studio:2,S @@ -186,10 +176,9 @@ $ ls .Mail/cur/ ### 测试 IMAP -我们Dovecot同时启用了POP3和IMAP,因此我们使用telnet测试IMAP。 +我们 Dovecot 同时启用了 POP3 和 IMAP 服务,因此让我们使用 telnet 测试 IMAP。 ``` - $ telnet studio imap2 Trying 127.0.1.1... Connected to studio. @@ -221,28 +210,25 @@ A4 OK Logout completed. Connection closed by foreign host ``` -### Thunderbird邮件客户端 +### Thunderbird 邮件客户端 -图1中的屏幕截图显示了我局域网上另一台主机上的图形邮件客户端中的邮件。 +图 1 中的屏幕截图显示了我局域网上另一台主机上的图形邮件客户端中的邮件。 +![thunderbird mail](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/thunderbird-mail.png?itok=IkWK5Ti_ "thunderbird mail") -### [thunderbird-mail.png][3] +*图1: Thunderbird mail* - ![thunderbird mail](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/thunderbird-mail.png?itok=IkWK5Ti_ "thunderbird mail") +此时,你已有一个可以工作的 IMAP 和 POP3 邮件服务器,并且你也知道该如何测试你的服务器。你的用户可以在他们设置邮件客户端时选择要使用的协议。如果您只想支持一个邮件协议,那么只需要在您的 Dovecot 配置中留下你要的协议名字。 -图1: Thunderbird mail.[Used with permission][1] - -此时,你已有一个工作的IMAP和POP3邮件服务器,并且你也知道该如何测试你的服务器。你的用户将在他们设置邮件客户端时选择要使用的协议。如果您只想支持一个邮件协议,那么只需要命名您的Dovecot配置中的一个。 - -然而,这还远远没有完成。这是一个非常简单、没有加密的开放的安装。它也只适用于与邮件服务器在同一系统上的用户。这是不可扩展的,并具有一些安全风险,例如没有密码保护。 我们会在[下周][6]了解如何创建与系统用户分开的邮件用户,以及如何添加加密。 +然而,这还远远没有完成。这是一个非常简单、没有加密的、大门敞开的安装。它也只适用于与邮件服务器在同一系统上的用户。这是不可扩展的,并具有一些安全风险,例如没有密码保护。 我们会在[下篇][6]了解如何创建与系统用户分开的邮件用户,以及如何添加加密。 -------------------------------------------------------------------------------- via: https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-part-2 -作者:[ CARLA SCHRODER][a] +作者:[CARLA SCHRODER][a] 译者:[geekpi](https://github.com/geekpi) -校对:[校对者ID](https://github.com/校对者ID) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 @@ -251,5 +237,5 @@ via: https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-par [2]:https://www.linux.com/licenses/category/creative-commons-zero [3]:https://www.linux.com/files/images/thunderbird-mailpng [4]:https://www.linux.com/files/images/dovecot-emailjpg -[5]:https://www.linux.com/learn/how-build-email-server-ubuntu-linux +[5]:https://linux.cn/article-8071-1.html [6]:https://www.linux.com/learn/sysadmin/building-email-server-ubuntu-linux-part-3 From fff8d04531a282b22a712781c0ffb53abbe79080 Mon Sep 17 00:00:00 2001 From: wxy Date: Fri, 30 Dec 2016 16:39:28 +0800 Subject: [PATCH 123/181] PUB:20161215 Building an Email Server on Ubuntu Linux - Part 2 @geekpi --- .../20161215 Building an Email Server on Ubuntu Linux - Part 2.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20161215 Building an Email Server on Ubuntu Linux - Part 2.md (100%) diff --git a/translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 2.md b/published/20161215 Building an Email Server on Ubuntu Linux - Part 2.md similarity index 100% rename from translated/tech/20161215 Building an Email Server on Ubuntu Linux - Part 2.md rename to published/20161215 Building an Email Server on Ubuntu Linux - Part 2.md From 5e06fbb3d14b86b48f7de119c5181c297f4bf2bb Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Fri, 30 Dec 2016 17:07:33 +0800 Subject: [PATCH 124/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E4=B8=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对中 --- .../tech/20161021 Getting started with Inkscape on Fedora.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/translated/tech/20161021 Getting started with Inkscape on Fedora.md b/translated/tech/20161021 Getting started with Inkscape on Fedora.md index b6ea1ea148..49395603ce 100644 --- a/translated/tech/20161021 Getting started with Inkscape on Fedora.md +++ b/translated/tech/20161021 Getting started with Inkscape on Fedora.md @@ -92,7 +92,7 @@ via: https://fedoramagazine.org/getting-started-inkscape-fedora/ 作者:[Ryan Lerch][a] 译者:[geekpi](https://github.com/geekpi) -校对:[校对者ID](https://github.com/校对者ID) +校对:[jasminepeng](https://github.com/jasminepeng) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From cbb0a7302efbf9a2ddfa572ec25f8e41df5be18f Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Fri, 30 Dec 2016 17:32:10 +0800 Subject: [PATCH 125/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E5=AE=8C=E6=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对完毕 --- ...Getting started with Inkscape on Fedora.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/translated/tech/20161021 Getting started with Inkscape on Fedora.md b/translated/tech/20161021 Getting started with Inkscape on Fedora.md index 49395603ce..53d66d4833 100644 --- a/translated/tech/20161021 Getting started with Inkscape on Fedora.md +++ b/translated/tech/20161021 Getting started with Inkscape on Fedora.md @@ -1,26 +1,26 @@ -### [在 Fedora 中使用 Inkscape][2] +### [Fedora 中使用 Inkscape 起步][2] ![inkscape-gettingstarted](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gettingstarted-945x400.png) -Inkscape 是一个流行的、功能齐全、免费和开源的矢量[图形编辑器][3],它已经在 Fedora 官方仓库中。它专门为[SVG格式][4]中创建矢量图形而定制。Inkscape 非常适合创建和操作图片和插图。它也适用于创建图表和模拟用户界面。 +Inkscape 是一个流行的、功能齐全、免费和开源的矢量[图形编辑器][3],它已经在 Fedora 官方仓库中。它特别适合生成 [SVG 格式][4]的矢量图形。Inkscape 非常适于创建和操作图片和插图,以及创建图表和模拟用户界面。 [ ![cyberscoty-landscape-800px](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/cyberscoty-landscape-800px.png) ][5] -使用inkscape创建的[风车景色][1]的插图 +*使用 inkscape 创建的[风车景色][1]的插图* -[官方网站上的截图页][6]上有一些很好的例子,说明Inkscape可以做些什么。Fedora杂志上的大多数精选图片也是使用 Inkscape 创建的,包括最近的精选图片: +[官方网站的截图页][6]上有一些很好的例子,说明 Inkscape 可以做些什么。Fedora 杂志Fedora Magazine上的大多数精选图片也是使用 Inkscape 创建的,包括最近的精选图片: [ ![communty](https://cdn.fedoramagazine.org/wp-content/uploads/2016/09/communty.png) ][7] -最近使用 Inkscape 创建的 Fedora 杂志精选图片 +*最近使用 Inkscape 创建的 Fedora 杂志精选图片* -### 在 Fedora 中安装 Inkscape +### 在 Fedora 上安装 Inkscape -**Inkscape 已经[在 Fedora 官方仓库中了][8],因此可以非常简单地在 Fedora Workstation 使用 Software 这个程序安装它:** +**Inkscape 已经[在 Fedora 官方仓库中了][8],因此可以非常简单地在 Fedora Workstation 上使用 Software 这个应用来安装它:** [ ![inkscape-gnome-software](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gnome-software.png) @@ -34,7 +34,7 @@ sudo dnf install inkscape ### (开始)深入 Inkscape -当第一次打开程序是,你会看到一个空白页面,并且有一组不同的工具栏。对于初学者,最重要的三个工具栏是:Toolbar、Tools Control Bar、 Colour Palette: +当第一次打开程序时,你会看到一个空白页面,并且有一组不同的工具栏。对于初学者,最重要的三个工具栏是:Toolbar、Tools Control Bar、 Colour Palette(调色板): [ ![inkscape_window](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape_window.png) @@ -55,23 +55,23 @@ sudo dnf install inkscape ![](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-toolscontrolbar.gif) ][11] -### 绘画图形 +### 绘图 -接下来,让我们使用 Inkscape 绘制一个星星。 首先,从 **Toolbar** 中选择星形工具,**然后单击并拖动主绘图区域。** +接下来,让我们使用 Inkscape 绘制一个星星。 首先,从 **Toolbar** 中选择星形工具,**然后在主绘图区域上单击并拖动。** -你可能会注意到你的星看起来很像一个三角形。要更改它,请使用 “Tools Control Bar” 中的 “Corners” 选项,然后再添加几个点。 最后,当你完成后,当星星仍被选中时,从“调色板”中选择一种颜色来改变星星的颜色: +你可能会注意到你画的星星看起来很像一个三角形。要更改它,请使用 **Tools Control Bar** 中的 **Corners** 选项,再添加几个点。 最后,当你完成后,在星星仍被选中的状态下,从 **Palette**(调色板)中选择一种颜色来改变星星的颜色: [ ![inkscape-drawastar](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-drawastar.gif) ][12] -接下来,在Toolbar中实验一些其他形状工具,如矩形工具,螺旋工具和圆形工具。每个工具都设置下来创建一些独特的图形。 +接下来,在 Toolbar 中实验一些其他形状工具,如矩形工具,螺旋工具和圆形工具。通过不同的设置,每个工具都可以创建一些独特的图形。 -### 在绘图中选择移动对象 +### 在绘图中选择并移动对象 -现在你有一堆图形了,你使用选择工具来移动它们。要使用选择工具,首先从工具栏中选择它,然后单击要操作的形状,接着将图形拖动到您想要的位置。 +现在你有一堆图形了,你可以使用 Select 工具来移动它们。要使用 Select 工具,首先从工具栏中选择它,然后单击要操作的形状,接着将图形拖动到您想要的位置。 -选择形状时,你还可以使用调整大小锚点来缩放图形。此外,如果你单击所选的图形,调整大小控点将变为旋转模式,并允许你旋转图形: +选择形状后,你还可以使用尺寸句柄调整图形大小。此外,如果你单击所选的图形,尺寸句柄将转变为旋转模式,并允许你旋转图形: [ ![inkscape-movingshapes](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-movingshapes.gif) @@ -83,7 +83,7 @@ Inkscape是一个很棒的软件,它还包含了更多的工具和功能。在 ----------------------- -作者简介:Ryan是一名 Fedora 设计师。他使用 Fedora Workstation 作为他的主要桌面,还有来自Libre Graphics 世界的最好的工具,尤其是矢量图形编辑器 Inkscape。 +作者简介:Ryan 是一名 Fedora 设计师。他使用 Fedora Workstation 作为他的主要桌面,还有来自 Libre Graphics 世界的最好的工具,尤其是矢量图形编辑器 Inkscape。 -------------------------------------------------------------------------------- From 2bb9e4e11238d730c454e32e635f048a44405259 Mon Sep 17 00:00:00 2001 From: wxy Date: Sat, 31 Dec 2016 00:06:06 +0800 Subject: [PATCH 126/181] =?UTF-8?q?PROOF:20160826=20Forget=20Technical=20D?= =?UTF-8?q?ebt=20=E2=80=94Here'sHowtoBuild=20Technical=20Wealth?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @rusking proof again , @jasminepeng --- ...Debt —Here'sHowtoBuild Technical Wealth.MD | 129 +++++++++--------- 1 file changed, 64 insertions(+), 65 deletions(-) diff --git a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD index fca26ca316..026e10c717 100644 --- a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD +++ b/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD @@ -1,16 +1,17 @@ -#忘记技术债务 —— 教你如何创造技术财富 +忘记技术债务 —— 教你如何创造技术财富 +=============== -电视里正播放着《老屋》节目,[Andrea Goulet][58] 和她商业上的合作伙伴正悠闲地坐在客厅里,商讨着他们的战略计划。那正是大家思想的火花碰撞出创新事物的时刻。他们正在寻求一种能够实现自身价值的方式 —— 为其它公司清理遗留代码legacy code及科技债务。他们此刻的情景,像极了电视里的场景。(译者注:《老屋》电视节目提供专业的家装,家庭改建,重新装饰,创意等等信息,与软件的改造有异曲同工之处)。 +电视里正播放着《老屋》节目,[Andrea Goulet][58] 和她的商业合作伙伴正悠闲地坐在客厅里,商讨着他们的战略计划。那正是大家思想的火花碰撞出创新事物的时刻。他们正在寻求一种能够实现自身价值的方式 —— 为其它公司清理遗留代码legacy code及科技债务。他们此刻的情景,像极了电视里的场景。(LCTT 译注:《老屋》电视节目提供专业的家装、家庭改建、重新装饰、创意等等信息,与软件的改造有异曲同工之处)。 -“我们意识到我们现在做的工作不仅仅是清理遗留代码,实际上我们是在用重建老屋的方式来重构软件,让系统运行更持久,更稳定,更高效,”Goulet 说。“这让我开始思考公司如何花钱来改善他们的代码,以便让他们的系统运行更高效。就好比为了让屋子变得更有价值,你不得不使用一个全新的屋顶。这并不吸引人,但却是至关重要的,然而很多人都搞错了。“ +“我们意识到我们现在做的工作不仅仅是清理遗留代码,实际上我们是在用重建老屋的方式来重构软件,让系统运行更持久、更稳定、更高效,”Goulet 说。“这让我开始思考公司如何花钱来改善他们的代码,以便让他们的系统运行更高效。就好比为了让屋子变得更有价值,你不得不使用一个全新的屋顶。这并不吸引人,但却是至关重要的,然而很多人都搞错了。“ -如今,她是 [Corgibytes][57] 公司的 CEO —— 一家提高软件现代化和进行系统重构方面的咨询公司。她曾经见过各种各样糟糕的系统,遗留代码,以及严重的科技债务事件。Goulet 认为创业公司需要转变思维模式,不是偿还债务,而是创造科技财富,不是要铲除旧代码,而是要逐步修复代码。她解释了这种新的方法,以及如何完成这些看似不可能完成的事情 —— 实际上是聘用优秀的工程师来完成这些工作。 +如今,她是 [Corgibytes][57] 公司的 CEO —— 这是一家提高软件现代化和进行系统重构方面的咨询公司。她曾经见过各种各样糟糕的系统、遗留代码,以及严重的科技债务事件。Goulet 认为**创业公司需要转变思维模式,不是偿还债务,而是创造科技财富,不是要铲除旧代码,而是要逐步修复代码**。她解释了这种新的方法,以及如何完成这些看似不可能完成的事情 —— 实际上是聘用优秀的工程师来完成这些工作。 ### 反思遗留代码 -关于遗留代码最常见的定义是由 Michael Feathers 在他的著作[《高效利用遗留代码》Working Effectively with Legacy Code][56]一书中提出:遗留代码就是没有被测试的代码。这个定义比大多数人所认为的 —— 遗留代码仅指那些古老陈旧的系统这个说法要妥当得多。但是 Goulet 认为这两种定义都不够明确。“遗留代码与软件的年头儿毫无关系。一个两年的应用程序,其代码可能已经进入遗留状态了,”她说。“关键要看软件质量提高的难易程度。” +关于遗留代码最常见的定义是由 Michael Feathers 在他的著作[《高效利用遗留代码》Working Effectively with Legacy Code][56]一书中提出:遗留代码就是没有被测试所覆盖的代码。这个定义比大多数人所认为的 —— 遗留代码仅指那些古老、陈旧的系统这个说法要妥当得多。但是 Goulet 认为这两种定义都不够明确。“遗留代码与软件的年头儿毫无关系。一个两年的应用程序,其代码可能已经进入遗留状态了,”她说。“**关键要看软件质量提高的难易程度。**” -这意味着代码写得不够清楚,缺少解释说明,没有包含任何关于代码构思和决策制定的流程。单元测试可以有一定帮助,但也要包括所有的写那部分代码的原因以及逻辑推理相关的文档。如果想要提升代码,但没办法搞清楚原开发者的意图 —— 那些代码就属于遗留代码了。 +这意味着写得不够清楚、缺少解释说明的代码,是没有包含任何关于代码构思和决策制定的流程的成果。单元测试就是这样的一种成果,但它并没有包括了写那部分代码的原因以及逻辑推理相关的所有文档。如果想要提升代码,但没办法搞清楚原开发者的意图 —— 那些代码就属于遗留代码了。 > **遗留代码不是技术问题,而是沟通上的问题。** @@ -18,35 +19,35 @@ 如果你像 Goulet 所说的那样迷失在遗留代码里,你会发现每一次的沟通交流过程都会变得像那条[康威定律Conway’s Law][54]所描述的一样。 -Goulet 说:“这个定律认为系统的基础架构能反映出整个公司的组织沟通结构,如果想修复公司的遗留代码,而没有一个好的组织沟通方式是不可能完成的。那是很多人都没注意到的一个重要环节。” +Goulet 说:“这个定律认为你的代码能反映出整个公司的组织沟通结构,如果想修复公司的遗留代码,而没有一个好的组织沟通方式是不可能完成的。那是很多人都没注意到的一个重要环节。” Goulet 和她的团队成员更像是考古学家一样来研究遗留系统项目。他们根据前开发者写的代码构件相关的线索来推断出他们的思想意图。然后再根据这些构件之间的关系来做出新的决策。 -最重要的代码是什么样子呢?**良好的代码结构、清晰的思想意图、整洁的代码**。例如,如果使用通用的名称如 “foo” 或 “bar” 来命名一个变量,半年后再返回来看这段代码时,根本就看不出这个变量的用途是什么。 +代码构件最重要的什么呢?**良好的代码结构、清晰的思想意图、整洁的代码**。例如,如果使用通用的名称如 “foo” 或 “bar” 来命名一个变量,半年后再返回来看这段代码时,根本就看不出这个变量的用途是什么。 如果代码读起来很困难,可以使用源代码控制系统,这是一个非常有用的工具,因为它可以提供代码的历史修改信息,并允许软件开发者写明他们作出本次修改的原因。 -Goulet 说:“我一个朋友认为提交代码时附带的信息,如需要,每一个概要部分的内容应该有推文的一半多,而代码的描述信息应该有一篇博客那么长。你得用这个方式来为你修改的代码写一个合理的说明。这不会浪费太多额外的时间,并且能给后期的项目开发者提供非常多的有用的信息,但是让人惊讶的是很少有人会这么做。我们经常听到一些开发人员在调试代码的过程中,很沮丧的报怨这是谁写的这烂代码,最后发现还不是他们自己写的。” +Goulet 说:“我一个朋友认为提交代码时附带的信息,每一个概要部分的内容应该有半条推文那么长(几十个字),如需要的话,代码的描述信息应该有一篇博客那么长。你得用这个方式来为你修改的代码写一个合理的说明。这不会浪费太多额外的时间,并且能给后期的项目开发者提供非常多的有用信息,但是让人惊讶的是很少有人会这么做。我们经常能看到一些开发人员在被一段代码激怒之后,要用 `git blame` 扒代码库找出这些垃圾是谁干的,结果最后发现是他们自己干的。” 使用自动化测试对于理解程序的流程非常有用。Goulet 解释道:“很多人都比较认可 Michael Feathers 提出的关于遗留代码的定义。测试套件对于理解开发者的意图来说是非常有用的工具,尤其当用来与[行为驱动开发模式Behavior Driven Development][53]相结合时,比如编写测试场景。” -理由很简单,如果你想利用好遗留代码,你得多注意使代码在将来易于理解和工作的一些细节上。编写并运行单元程序、接受、认可,并且进行集成测试,写清楚注释的内容。方便以后你自己或是别人来理解你写的代码。 +理由很简单,如果你想将遗留代码限制在一定程度下,注意到这些细节将使代码更易于理解,便于在以后也能工作。编写并运行一个代码单元,接受、认可,并且集成测试。写清楚注释的内容,方便以后你自己或是别人来理解你写的代码。 -尽管如此,由于很多已知的和不可意料的原因,遗留代码仍然会发生。 +尽管如此,由于很多已知的和不可意料的原因,遗留代码仍然会出现。 在创业公司刚成立初期,公司经常会急于推出很多新的功能。开发人员在巨大的交付压力下,测试常常半途而废。Corgibytes 团队就遇到过好多公司很多年都懒得对系统做详细的测试了。 -确实如此,当你急于开发出系统原型的时候,强制性地去做太多的测试也许意义不大。但是,一旦产品开发完成并投入使用后,你就需要投入时间精力来维护及完善系统了。Goulet 说:“很多人觉得运维没什么好担心的,重要的是产品功能特性上的强大。如果真这样,当系统规模到一定程序的时候,就很难再扩展了。同时也就失去市场竞争力了。 +确实如此,当你急于开发出系统原型的时候,强制性地去做太多的测试也许意义不大。但是,一旦产品开发完成并投入使用后,你就需要投入时间精力来维护及完善系统了。Goulet 说:“很多人说,‘别在维护上费心思,重要的是功能!’ **如果真这样,当系统规模到一定程序的时候,就很难再扩展了。同时也就失去市场竞争力了。**” -最后才明白过来,原来热力学第二定律对代码也同样适用:你所面临的一切将向熵增的方向发展。你需要与混乱无序的技术债务进行一场无休无止的战斗。遗留代码随着时间的增长,也逐渐变成一种债务。 +最后才明白过来,原来热力学第二定律对代码也同样适用:**你所面临的一切将向熵增的方向发展。**你需要与混乱无序的技术债务进行一场无休无止的战斗。随着时间的推移,遗留代码也逐渐变成一种债务。 -她说:“我们再次拿家来做比喻。你必须坚持每天收拾餐具,打扫卫生,倒垃圾。如果你不这么做,情况将来越来越糟糕,直到有一天你不得不向 HazMat 团队求助。”(译者注:HazMat 团队,危害物质专队) +她说:“我们再次拿家来做比喻。你必须坚持每天收拾餐具、打扫卫生、倒垃圾。如果你不这么做,情况将来越来越糟糕,直到有一天你不得不向 HazMat 团队求助。”(LCTT 译注:HazMat 团队,危害物质专队) 就跟这种情况一样,Corgibytes 团队接到很多公司 CEO 的求助电话,比如 Features 公司的 CEO 在电话里抱怨道:“现在我们公司的开发团队工作效率太低了,三年前只需要两个星期就完成的工作,现在却要花费12个星期。” -> **技术债务往往反应出公司运作上的问题。** +> **技术债务往往反映出公司运作上的问题。** -很多公司的 CTO 明知会发生技术债务的问题,但是他们很难说服其它同事相信,花钱来修复那些已经存在的问题是值得的。这看起来像是在走回头路,很乏味或者没有新的产品。有些公司直到系统已经严重影响了日常工作效率时,才着手去处理这些技术债务方面的问题,那时付出的代价就太高了。 +很多公司的 CTO 明知会发生技术债务的问题,但是他们很难说服其它同事相信花钱来修复那些已经存在的问题是值得的。这看起来像是在走回头路,很乏味,也不是新的产品。有些公司直到系统已经严重影响了日常工作效率时,才着手去处理这些技术债务方面的问题,那时付出的代价就太高了。 ### 忘记债务,创造技术财富 @@ -66,90 +67,90 @@ Goulet 说:“我一个朋友认为提交代码时附带的信息,如需要 这就像对一栋房子,要实现其现代化及维护的方式有两种:小动作,表面上的更改(“我买了一块新的小地毯!”)和大改造,需要很多年才能偿还所有债务(“我想我们应替换掉所有的管道...”)。你必须考虑好两者,才能让你们已有的产品和整个团队顺利地运作起来。 -这还需要提前预算好 —— 否则那些较大的花销将会是硬伤。定期维护是最基本的预期费用。让人震惊的是,很多公司在商务上都没把维护成本预算进来。 +这还需要提前预算好 —— 否则那些较大的花销将会是硬伤。定期维护是最基本的预期费用。让人震惊的是,很多公司都没把维护当成商务成本预算进来。 -这就是 Goulet 提出“**软件重构software remodeling**”这个术语的原因。当你房子里的一些东西损坏的时候,你并不是铲除整个房子,从头开始重建。同样的,当你们公司出现老的,损坏的代码时,重写代码通常不是最明智的选择。 +这就是 Goulet 提出“**软件重构software remodeling**”这个术语的原因。当你房子里的一些东西损坏的时候,你并不是铲除整个房子,从头开始重建。同样的,当你们公司出现老的、损坏的代码时,重写代码通常不是最明智的选择。 下面是 Corgibytes 公司在重构客户代码用到的一些方法: -* 把大型的应用系统分解成轻量级的更易于维护的微服务。 -* 相互功能模块之间降低耦合性以便于扩展。 -* 更新品牌和提升用户前端界面体验。 -* 集合自动化测试来检查代码可用性。 -* 重构或者修改代码库来提高易用性。 +* 把大型的应用系统分解成轻量级的更易于维护的微服务。 +* 让功能模块彼此解耦以便于扩展。 +* 更新形象和提升用户前端界面体验。 +* 集合自动化测试来检查代码可用性。 +* 代码库可以让重构或者修改更易于操作。 -系统重构也进入到运维领域。比如,Corgibytes 公司经常推荐新客户使用 [Docker][50],以便简单快速的部署新的开发环境。当你们团队有30个工程师的时候,把初始化配置时间从 10 小时减少到 10 分钟对完成更多的工作很有帮助。系统重构不仅仅是应用于软件开发本身,也包括如何进行系统重构。 +系统重构也进入到 DevOps 领域。比如,Corgibytes 公司经常推荐新客户使用 [Docker][50],以便简单快速的部署新的开发环境。当你们团队有 30 个工程师的时候,把初始化配置时间从 10 小时减少到 10 分钟对完成更多的工作很有帮助。系统重构不仅仅是应用于软件开发本身,也包括如何进行系统重构。 -如果你知道做些什么能让你们的代码管理起来更容易更高效,就应该把这它们写入到每年或季度的项目规划中。别指望它们会自动呈现出来。但是也别给自己太大的压力来马上实施它们。Goulets 看到很多公司从一开始就致力于100% 覆盖率测试而陷入困境。 +如果你知道做些什么能让你们的代码管理起来更容易更高效,就应该把这它们写入到每年或季度的项目规划中。别指望它们会自动呈现出来。但是也别给自己太大的压力来马上实施它们。Goulets 看到很多公司从一开始就致力于 100% 测试覆盖率而陷入困境。 **具体来说,每个公司都应该把以下三种类型的重构工作规划到项目建设中来:** -* 自动化测试 -* 持续性交付 +* 自动测试 +* 持续交付 * 文化提升 咱们来深入的了解下每一项内容。 -**自动化测试** +#### 自动测试 - “有一位客户即将进行第二轮融资,但是他们没办法在短期内招聘到足够的人才。我们帮助他们引进了一种自动化测试框架,这让他们的团队在 3 个月的时间内工作效率翻了一倍,”Goulets说。“这样他们就可以在他们的投资人面前自豪的说,‘我们一个精英团队完成的任务比两个普通的团队要多。’” + “有一位客户即将进行第二轮融资,但是他们没办法在短期内招聘到足够的人才。我们帮助他们引进了一种自动化测试框架,这让他们的团队在 3 个月的时间内工作效率翻了一倍,”Goulets 说。“这样他们就可以在他们的投资人面前自豪的说,‘我们一个精英团队完成的任务比两个普通的团队要多。’” -自动化测试从根本上来讲就是单个测试的组合。你可以使用单元测试再次检查某一行代码。可以使用集成测试来确保系统的不同部分都正常运行。还可以使用验收性测试来检验系统的功能特性是否跟你想像的一样。当你把这些测试写成测试脚本后,你只需要简单地用鼠标点一下按钮就可以让系统自行检验了,而不用手工的去梳理并检查每一项功能。 +自动化测试从根本上来讲就是单个测试的组合,就是可以再次检查某一行代码的单元测试。可以使用集成测试来确保系统的不同部分都正常运行。还可以使用验收性测试来检验系统的功能特性是否跟你想像的一样。当你把这些测试写成测试脚本后,你只需要简单地用鼠标点一下按钮就可以让系统自行检验了,而不用手工的去梳理并检查每一项功能。 -在产品市场尚未打开之前就来制定自动化测试机制有些言之过早。但是一旦你有一款感到满满,并且客户也很依赖的产品,就应该把这件事付诸实施了。 +在产品市场尚未打开之前就来制定自动化测试机制有些言之过早。但是一旦你有一款感到满意,并且客户也很依赖的产品,就应该把这件事付诸实施了。 -**持续性交付** +#### 持续交付 -这是与自动化交付相关的工作,过去是需要人工完成。目的是当系统部分修改完成时可以迅速进行部署,并且短期内得到反馈。这使公司在其它竞争对手面前有很大的优势,尤其是在售后服务行业。 +这是与自动化交付相关的工作,过去是需要人工完成。目的是当系统部分修改完成时可以迅速进行部署,并且短期内得到反馈。这使公司在其它竞争对手面前有很大的优势,尤其是在客户服务行业。 “比如说你每次部署系统时环境都很复杂。熵值无法有效控制,”Goulets 说。“我们曾经见过花 12 个小时甚至更多的时间来部署一个很大的集群环境。在这种情况下,你不会愿意频繁部署了。因为太折腾人了,你还会推迟系统功能上线的时间。这样,你将落后于其它公司并失去竞争力。” **在持续性改进的过程中常见的其它自动化任务包括:** -*   在提交完成之后检查中断部分。 -* 在出现故障时进行回滚操作。 -* 审查自动化代码的质量。 -* 根据需求增加或减少服务器硬件资源。 -* 让开发,测试及生产环境配置简单易懂。 +* 在提交完成之后检查构建中断部分。 +* 在出现故障时进行回滚操作。 +* 自动化审查代码的质量。 +* 根据需求增加或减少服务器硬件资源。 +* 让开发、测试及生产环境配置简单易懂。 举一个简单的例子,比如说一个客户提交了一个系统 Bug 报告。开发团队越高效解决并修复那个 Bug 越好。对于开发人员来说,修复 Bug 的挑战根本不是个事儿,这本来也是他们的强项,主要是系统设置上不够完善导致他们浪费太多的时间去处理 bug 以外的其它问题。 -使用持续改进的方式时,在你决定哪些工作应该让机器去做,哪些最好交给研发去完成的时候,你会变得更干脆了。如果机器更擅长,那就使其自动化完成。这样也能让研发愉快地去解决其它有挑战性的问题。同时客户也会很高兴地看到他们报怨的问题被快速处理了。你的待修复的未完成任务数减少了,之后你就可以把更多的时间投入到运用新的方法来提高公司产品质量上了。**这是创造科技财富的一种转变。**因为开发人员可以修复 bug 后立即发布新代码,这样他们就有时间和精力做更多事。 +使用持续改进的方式时,你要严肃地决定决定哪些工作应该让机器去做,哪些交给研发去完成更好。如果机器更擅长,那就使其自动化完成。这样也能让研发愉快地去解决其它有挑战性的问题。同时客户也会很高兴地看到他们报怨的问题被快速处理了。你的待修复的未完成任务数减少了,之后你就可以把更多的时间投入到运用新的方法来提高产品的质量上了。**这是创造科技财富的一种转变。**因为开发人员可以修复 bug 后立即发布新代码,这样他们就有时间和精力做更多事。 “你必须时刻问自己,‘我应该如何为我们的客户改善产品功能?如何做得更好?如何让产品运行更高效?’不过还要不止于此。”Goulets 说。“一旦你回答完这些问题后,你就得询问下自己,如何自动去完成那些需要改善的功能。” -**提升企业文化** +#### 文化提升 -Corgibytes公司每天都会看到同样的问题:一家创业公司建立了一个对开发团队毫无影响的文化环境。公司 CEO 抱着双臂思考着为什么这样的环境对员工没多少改变。然而事实却是公司的企业文化对工作并不利。为了激励工程师,你必须全面地了解他们的工作环境。 +Corgibytes 公司每天都会看到同样的问题:一家创业公司建立了一个对开发团队毫无推动的文化环境。公司 CEO 抱着双臂思考着为什么这样的环境对员工没多少改变。然而事实却是公司的企业文化对工作并不利。为了激励工程师,你必须全面地了解他们的工作环境。 为了证明这一点,Goulet 引用了作者 Robert Henry 说过的一段话: > **目的不是创造艺术,而是在最美妙的状态下让艺术应运而生。** - “你们也要开始这样思考一下你们的软件,”她说。“你们的企业文件就类似状态。你们的目标是总能创造一个让艺术品应运而生的环境,这件艺术品就是你们公司的代码,一流的售后服务、充满幸福感的开发者、良好的市场、盈利能力等等。这些都息息相关。” +“你们也要开始这样思考一下你们的软件,”她说。“你们的企业文件就类似那个状态。你们的目标就是创造一个让艺术品应运而生的环境,这件艺术品就是你们公司的代码、一流的售后服务、充满幸福感的开发者、良好的市场预期、盈利能力等等。这些都息息相关。” -优先考虑公司的技术债务和遗留代码也是一种文化。那是真正为开发团队清除障碍,以制造影响的方法。同时,这也会让你将来有更多的时间精力去完成更重要的工作。如果你不从根本上改变固有的企业文化环境,你就不可能重构公司产品。改变对产品维护及现代化上投资的态度是开始实施变革的第一步,最理想情况是从公司的CEO开始转变。 +优先考虑解决公司的技术债务和遗留代码也是一种文化。那是真正为开发团队清除障碍,以制造影响的方法。同时,这也会让你将来有更多的时间精力去完成更重要的工作。如果你不从根本上改变固有的企业文化环境,你就不可能重构公司产品。改变对产品维护及现代化的投资的态度是开始实施变革的第一步,最理想情况是从公司的 CEO 开始自顶向下转变。 以下是 Goulet 关于建立那种流态文化方面提出的建议: -*   反对公司嘉奖那些加班到深夜的“英雄”。提倡高效率的工作方式。 -*   了解协同开发技术,比如 Woody Zuill 提出的[合作编程Mob Programming][44]模式。 -* 遵从 4 个[现代敏捷开发][42] 原则:用户至上、实践及快速学习、把系统安全放在首位、持续交付价值。 -* 每周为研发提供项目外的职业发展时间。 -* 把[日工作记录][43]作为一种驱动开发团队主动解决问题的方式。 -* 把同情心放在第一位。Corgibytes 公司让员工参加 [Brene Brown 勇气工厂][40]的培训是非常有用的。 +* 反对公司嘉奖那些加班到深夜的“英雄”。提倡高效率的工作方式。 +* 了解协同开发技术,比如 Woody Zuill 提出的[合作编程Mob Programming][44]模式。 +* 遵从 4 个[现代敏捷开发][42]原则:用户至上、实践及快速学习、把安全放在首位、持续交付价值。 +* 每周为研发人员提供项目外的职业发展时间。 +* 把[日工作记录][43]作为一种驱动开发团队主动解决问题的方式。 +* 把同情心放在第一位。Corgibytes 公司让员工参加 [Brene Brown 勇气工厂][40]的培训是非常有用的。 -“如果公司高管和投资者不支持这种升级方式,你得从客户服务的角度去说服他们,”Goulet 说,“告诉他们通过这次调整后,最终产品将如何给公司的大客户提高更好的体验。这是你能做的一个很有力的论点。” +“如果公司高管和投资者不支持这种升级方式,你得从客户服务的角度去说服他们,”Goulet 说,“告诉他们通过这次调整后,最终产品将如何给公司的大多数客户提高更好的体验。这是你能做的一个很有力的论点。” ### 寻找最具天才的代码重构者 整个行业都认为顶尖的工程师不愿意干修复遗留代码的工作。他们只想着去开发新的东西。大家都说把他们留在维护部门真是太浪费人才了。 -其实这些都是误解。如果你知道去哪里和如何找工程师,并为他们提供一个愉快的工作环境,你就可以找到技术非常精湛的工程师,来帮你解决那些最棘手的技术债务问题。 +**其实这些都是误解。如果你知道去哪里和如何找工程师,并为他们提供一个愉快的工作环境,你就可以找到技术非常精湛的工程师,来帮你解决那些最棘手的技术债务问题。** -“每一次开会的时候,我们都会问现场的同事‘谁喜欢去干遗留代码的工作?’每次只有不到 10% 的同事会举手。”Goulet 说。“但是我跟这些人交流后,我发现这些工程师恰好是喜欢最具挑战性工作的人才。” +“每次在会议上,我们都会问现场的同事‘谁喜欢去在遗留代码上工作?’每次只有不到 10% 的与会者会举手。”Goulet 说。“但是我跟这些人交流后,我发现这些工程师恰好是喜欢最具挑战性工作的人才。” -有一位客户来寻求她的帮助,他们使用国产的数据库,没有任何相关文档,也没有一种有效的方法来弄清楚他们公司的产品架构。她称修理这种情况的一类工程师为“修正者”。在Corgibytes公司,她有一支这样的修正者团队由她支配,热衷于通过研究二进制代码来解决技术问题。 +有一位客户来寻求她的帮助,他们使用国产的数据库,没有任何相关文档,也没有一种有效的方法来弄清楚他们公司的产品架构。她称修理这种情况的一类工程师为“修正者”。在 Corgibytes 公司,她有一支这样的修正者团队由她支配,热衷于通过研究二进制代码来解决技术问题。 ![](https://s3.amazonaws.com/marquee-test-akiaisur2rgicbmpehea/BeX5wWrESmCTaJYsuKhW_Screen%20Shot%202016-08-11%20at%209.17.04%20AM.png) @@ -163,7 +164,7 @@ Corgibytes公司每天都会看到同样的问题:一家创业公司建立了 但是随着时间的推移,她发现可以重新定义招聘流程来帮助她识别出更出色的候选人。比如说,她在应聘要求中写道,“公司 CEO 将会重新审查你的简历,因此请确保求职信中致意时不用写明性别。所有以‘尊敬的先生’或‘先生’开头的信件将会被当垃圾处理掉”。这些只是她的招聘初期策略。 -“我开始这么做是因为很多申请人把我当成一家软件公司的男性 CEO,这让我很厌烦,”Goulet 说。“所以,有一天我想我应该它当作应聘要求放到网上,看有多少人注意到这个问题。令我惊讶的是,这让我过滤掉一些不太严谨的申请人。还突显出了很多擅于从事遗留代码方面工作的人。” +“我开始这么做是因为很多申请人把我当成男性,因为我是一家软件公司的男性 CEO,我必须是男性!?”Goulet 说。“所以,有一天我想我应该它当作应聘要求放到网上,看有多少人注意到这个问题。令我惊讶的是,这让我过滤掉一些不太严谨的申请人。还突显出了很多擅于从事遗留代码方面工作的人。” Goulet 想起一个应聘者发邮件给我说,“我查看了你们网站的代码(我喜欢这个网站,这也是我的工作)。你们的网站架构很奇特,好像是用 PHP 写的,但是你们却运行在用 Ruby 语言写的 Jekyll 下。我真的很好奇那是什么呢。” @@ -177,9 +178,9 @@ Goulet 从她的设计师那里得知,原来,在 HTML、CSS 和 JavaScript 如果他们通过首轮面试,Goulet 将会让候选者阅读一篇 Arlo Belshee 写的文章“[命名是一个过程Naming is a Process][46]”。它讲的是非常详细的处理遗留代码的的过程。她最经典的指导方法是:“阅读完这段代码并且告诉我,你是怎么理解的。” -她将找出对问题的理解很深刻并且也愿意接受文章里提出的观点的候选者。这对于区分有深刻理解的候选者和仅仅想获得工作的候选者中来说,是极其有用的办法。她强烈要求候选者找出一段与他操作相关的代码,来证明他是充满激情的、有主见的及善于分析问题的人。 +她将找出对问题的理解很深刻并且也愿意接受文章里提出的观点的候选者。这对于区分有深刻理解的候选者和仅仅想获得工作的候选者来说,是极其有用的办法。她强烈要求候选者找出一段与他操作相关的代码,来证明他是充满激情的、有主见的及善于分析问题的人。 -最后,她会让候选者跟公司里当前的团队成员一起使用 [Exercism.io][45] 工具进行编程。这是一个开源项目,它允许开发者学习如何在不同的编程语言环境下使用一系列的测试驱动开发的练习进行编程。第一部分的协同编程课程允许候选者选择其中一种语言进行内建。下一个练习中,面试者可以选择一种语言进行编程。他们总能看到那些人处理异常的方法、随机应便的能力以及是否愿意承认某些自己不了解的技术。 +最后,她会让候选者跟公司里当前的团队成员一起使用 [Exercism.io][45] 工具进行编程。这是一个开源项目,它允许开发者学习如何在不同的编程语言环境下使用一系列的测试驱动开发的练习进行编程。结对编程课程的第一部分允许候选者选择其中一种语言来使用。下一个练习中,面试官可以选择一种语言进行编程。他们总能看到那些人处理异常的方法、随机应便的能力以及是否愿意承认某些自己不了解的技术。 “当一个人真正的从执业者转变为大师的时候,他会毫不犹豫的承认自己不知道的东西,”Goulet说。 @@ -189,30 +190,28 @@ Goulet 从她的设计师那里得知,原来,在 HTML、CSS 和 JavaScript 如果一个有天赋的修正者在眼前,Goulet 懂得如何让他走向成功。下面是如何让这种类型的开发者感到幸福及高效工作的一些方式: -* 给他们高度的自主权。把问题解释清楚,然后安排他们去完成,但是永不命令他们应该如何去解决问题。 -* 如果他们要求升级他们的电脑配置和相关工具,尽管去满足他们。他们明白什么样的需求才能最大限度地提高工作效率。 -* 帮助他们[避免更换任务][39]。他们喜欢全身心投入到某一个任务直至完成。 +* 给他们高度的自主权。把问题解释清楚,然后安排他们去完成,但是永不命令他们应该如何去解决问题。 +* 如果他们要求升级他们的电脑配置和相关工具,尽管去满足他们。他们明白什么样的需求才能最大限度地提高工作效率。 +* 帮助他们[避免分心][39]。他们喜欢全身心投入到某一个任务直至完成。 -总之,这些方法已经帮助 Corgibytes 公司培养出 20 几位对遗留代码充满激情的专业开发者。 +总之,这些方法已经帮助 Corgibytes 公司培养出二十几位对遗留代码充满激情的专业开发者。 ### 稳定期没什么不好 -大多数创业公司都都不想跳过他们的成长期。一些公司甚至认为成长期应该是永无止境的。而且,他们觉得也没这个必要,即便他们已经进入到了下一个阶段:稳定期。完全进入到稳定期意味着你拥有人力资源及管理方法来创造技术财富,同时根据优先权适当支出。 +大多数创业公司都都不想跳过他们的成长期。一些公司甚至认为成长期应该是永无止境的。而且,他们觉得也没这个必要跳过成长期,即便他们已经进入到了下一个阶段:稳定期。**完全进入到稳定期意味着你拥有人力资源及管理方法来创造技术财富,同时根据优先权适当支出。** -“在成长期和稳定期之间有个转折点,就是维护人员必须要足够壮大,并且相对于专注新功能的产品开发人员,你开始更公平的对待维护人员,”Goulet说。“你们公司的产品开发完成了。现在你得让他们更加稳定地运行。” +“在成长期和稳定期之间有个转折点,就是维护人员必须要足够壮大,并且相对于专注新功能的产品开发人员,你开始更公平的对待维护人员,”Goulet 说。“你们公司的产品开发完成了。现在你得让他们更加稳定地运行。” 这就意味着要把公司更多的预算分配到产品维护及现代化方面。“你不应该把产品维护当作是一个不值得关注的项目,”她说。“这必须成为你们公司固有的一种企业文化 —— 这将帮助你们公司将来取得更大的成功。“ -最终,你通过这些努力创建的技术财富,将会为你的团队带来一大批全新的开发者:他们就像侦查兵一样,有充足的时间和资源去探索新的领域,挖掘新客户资源并且给公司创造更多的机遇。当你们在新的市场领域做得更广泛并且不断发展得更好 —— 那么你们公司已经真正地进入到繁荣发展的状态了。 +最终,你通过这些努力创建的技术财富,将会为你的团队带来一大批全新的开发者:他们就像侦查兵一样,有充足的时间和资源去探索新的领域,挖掘新客户资源并且给公司创造更多的机遇。当你们在新的市场领域做得更广泛并且不断取得进展 —— 那么你们公司已经真正地进入到繁荣发展的状态了。 -------------------------------------------------------------------------------- via: http://firstround.com/review/forget-technical-debt-heres-how-to-build-technical-wealth/ 作者:[http://firstround.com/][a] - 译者:[rusking](https://github.com/rusking) - 校对:[jasminepeng](https://github.com/jasminepeng) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From a930b7a982038bfb2ec253525bb9b00ac296fa25 Mon Sep 17 00:00:00 2001 From: wxy Date: Sat, 31 Dec 2016 00:06:59 +0800 Subject: [PATCH 127/181] =?UTF-8?q?PUB:20160826=20Forget=20Technical=20Deb?= =?UTF-8?q?t=20=E2=80=94Here'sHowtoBuild=20Technical=20Wealth?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @rusking @jasminepeng 这篇文章虽然很长,但是确实很有价值,只是一般人不会懂。辛苦两位了。 --- ...26 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/talk => published}/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD (100%) diff --git a/translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD b/published/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD similarity index 100% rename from translated/talk/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD rename to published/20160826 Forget Technical Debt —Here'sHowtoBuild Technical Wealth.MD From afdaf77a1bc31049b20a97fbf07df69cc6ff88c0 Mon Sep 17 00:00:00 2001 From: Flynn Date: Sat, 31 Dec 2016 00:16:01 +0800 Subject: [PATCH 128/181] translated --- ... To Install The PyCharm Python In Linux.md | 112 ++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 translated/tech/20160921 How To Install The PyCharm Python In Linux.md diff --git a/translated/tech/20160921 How To Install The PyCharm Python In Linux.md b/translated/tech/20160921 How To Install The PyCharm Python In Linux.md new file mode 100644 index 0000000000..3e1a84e2b9 --- /dev/null +++ b/translated/tech/20160921 How To Install The PyCharm Python In Linux.md @@ -0,0 +1,112 @@ +如何在 Linux 下安装 Python IDE - PyCharm +============================================ + +![][7] +### 简介 + +Linux 经常被看成是一个远离外部世界,只有极客才会使用的操作系统,虽然这是一个误解,但事实上,如果你想开发软件,那么 Linux 系统能够为你提供一个很好的开发环境。 + +刚开始学习编程的新手们经常会问这样一个问题:应该使用哪种语言?当涉及到 Linux 系统的时候,通常的选择是 C、C++、Python、Java、PHP、Perl 和 Ruby On Rails + +Linux 系统的许多核心程序都是用 C 语言写的,但是如果离开 Linux 系统的世界, C 语言不再像其他语言比如 Java 和 Python 那么常用。 + +对于学习编程的人来说, Python 和 Java 都是不错的选择,因为它们是跨平台的,因此,你在 Linux 系统上写的程序在 Windows 系统和 Macs 系统上也能够很好的工作。 + +虽然你可以使用任何编辑器来开发 Python 程序,但是如果你使用一个同时包含编辑器和调试器的优秀集成开发环境(IDE)来进行开发,那么你的编程生涯将会变得更加轻松。 + +PyCharm 是由 Jetbrains 公司开发的一个跨平台编辑器。如果你之前是在 Windows 环境下进行开发,那么你会立刻认出 Jetbrains 公司,它就是那个开发了 Resharper 的公司。 Resharper 是一个用于重构代码的优秀产品,它能够指出代码可能存在的问题以及自动添加声明:比如当你在使用一个类的时候它会自动为你导入。 + +这篇文章将讨论如何在 Linux 系统上获取、安装和运行 PyCharm 。 + +### 如何获取 PyCharm + +你可以通过访问[这儿][1]获取 PyCharm 。屏幕中央有一个很大的 'Download' 按钮。 + +你可以选择下载专业版或者社区版。如果你只是习惯于用 Python 编程那么推荐下载社区版。 + +然而,如果你打算进行专业化的编程,那么专业版的一些优秀特性是不容忽视的。 + +### 如何安装 PyCharm + +下载好的文件的名称可能是 ‘pycharm-professional-2016.2.3.tar.gz’。 + +以 “tar.gz” 结尾的文件是被 [gzip][2] 工具压缩过的,并且用 [tar][3] 工具进行了归档从而保证文件夹结构在一个地方。 + +你可以阅读关于[提取 tar.gz 文件][4]指南的更多信息。 + +加快节奏,为了解压文件,你需要做的是首先打开终端,然后通过下面的命令进入下载文件所在的文件夹: + + ``` + cd ~/Downloads + ``` + +现在,通过运行下面的命令找到你下载的文件的名字: + + ``` + ls pycharm* + ``` + +然后运行下面的命令解压文件: + + ``` + tar -xvzf pycharm-professional-2016.2.3.tar.gz -C ~ + ``` + +记得把上面命令中的文件名替换成通过 ‘ls’ 命令获知的 pycharm 文件名。(也就是你下载的文件的名字) + +上面的命令将会把 PyCharm 软件安装在 ‘home’ 目录中。 + +### 如何运行 PyCharm + +要运行 PyCharm, 首先需要进入 ‘home’ 目录: + + ``` + cd ~ + ``` + +运行 ‘ls’ 命令查找文件夹名: + + ``` + ls + ``` + +查找到文件名以后,运行下面的命令进入 PyCharm 目录: + + ``` + cd pycharm-2016.2.3/bin + ``` + +最后,通过运行下面的命令来运行 PyCharm: + + ``` + sh pycharm.sh & + ``` + +如果你是在一个桌面环境比如 GNOME、KDE、Unity、Cinnamon 或者其他现代桌面上运行,那么你也可以通过针对桌面环境的菜单或者快捷方式来找到 PyCharm 。 + +### 总结 + +现在, PyCharm 已经安装好了,你可以开始使用它来开发一个桌面应用、 web 应用和各种工具。 + +如果你想学习如何使用 Python 编程,那么这儿有很好的[学习资源][5]值得一看。里面的文章更多的是关于 Linux 学习,但也有一些资源比如 Pluralsight 和 Udemy 提供了关于 Python 学习的一些很好的教程。 + +如果想了解 PyCharm 的所有可用特性,请点击[这儿][6]来查看。它覆盖了从创建项目到描述用户界面、调试以及代码重构的全部内容。 + +----------------------------------------------------------------------------------------------------------- + +via: https://www.lifewire.com/how-to-install-the-pycharm-python-ide-in-linux-4091033 + +作者:[ Gary Newell][a] +译者:[ucasFL](https://github.com/ucasFL) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.lifewire.com/gary-newell-2180098 +[1]:https://www.jetbrains.com/pycharm/ +[2]:https://www.lifewire.com/example-uses-of-the-linux-gzip-command-4078675 +[3]:https://www.lifewire.com/uses-of-linux-command-tar-2201086 +[4]:https://www.lifewire.com/extract-tar-gz-files-2202057 +[5]:https://www.lifewire.com/learn-linux-in-structured-manner-4061368 +[6]:https://www.lifewire.com/pycharm-the-best-linux-python-ide-4091045 +[7]:https://fthmb.tqn.com/ju1u-Ju56vYnXabPbsVRyopd72Q=/768x0/filters:no_upscale()/about/pycharmstart-57e2cb405f9b586c351a4cf7.png From 00ef1428b847c26b3aabf9a97809ef40b1dcbdf4 Mon Sep 17 00:00:00 2001 From: Lv Feng Date: Sat, 31 Dec 2016 00:17:36 +0800 Subject: [PATCH 129/181] Delete 20160921 How To Install The PyCharm Python In Linux.md --- ... To Install The PyCharm Python In Linux.md | 114 ------------------ 1 file changed, 114 deletions(-) delete mode 100644 sources/tech/20160921 How To Install The PyCharm Python In Linux.md diff --git a/sources/tech/20160921 How To Install The PyCharm Python In Linux.md b/sources/tech/20160921 How To Install The PyCharm Python In Linux.md deleted file mode 100644 index 39063d98b2..0000000000 --- a/sources/tech/20160921 How To Install The PyCharm Python In Linux.md +++ /dev/null @@ -1,114 +0,0 @@ -ucasFL translating -How To Install The PyCharm Python IDE In Linux -============================================ - -![][7] -### Introduction - -Linux is often seen from the outside world as an operating system for geeks and whilst this is a misnomer it is true that if you want to develop software then Linux provides a great environment for doing so. - -People new to programming often ask which programming language they should use and when it comes to Linux the choices are generally C, C++, Python, Java, PHP, Perl and Ruby On Rails. - -Many of the core Linux programs are written in C but outside the Linux world it isn't used as commonly as other languages such as Java and Python. - -Python and Java are both great choices because they are cross platform and therefore the programs you write for Linux will work on Windows and Macs as well. - -Whilst you can use any editor for developing Python applications you will find that your programming life will be so much easier if you use a good integrated development environment (IDE) consisting of an editor and a debugger. - -PyCharm is a cross platform editor developed by Jetbrains. If you come from a Windows development environment you will recognise Jetbrains as the company who produce the excellent product Resharper which is used to refactor your code, point out potential issues and automatically add statements such as when you use a class it will import it for you. - -This article will show you how to get PyCharm, install and run Pycharm within Linux - -### How To Get PyCharm - -You can get PyCharm by visiting [here][1] -There is a large download button in the centre of the screen. - -You have a choice of downloading the professional version or the community edition. If you are just getting into programming in Python then I recommend going for the community edition. - -However the professional version has some great features that shouldn't be overlooked if you intend to program professionally. - -### How To Install PyCharm - -The file that has been downloaded will be called something like pycharm-professional-2016.2.3.tar.gz. - -A file ending in "tar.gz" has been compressed using [the gzip tool][2] and has been archived using [tar][3] to keep the folder structure in one place. - -You can read this guide for more information about [extracting tar.gz files][4]. - -For quickness though all you have to do to extract the file is open a terminal and navigate to the folder the file has been downloaded to. - - ``` - cd ~/Downloads - ``` - -Now find out the name of the file you downloaded by running the following command: - - ``` - ls pycharm* - ``` - -To extract the file run the following command: - - ``` - tar -xvzf pycharm-professional-2016.2.3.tar.gz -C ~ - ``` - -Make sure you replace the name of the pycharm file with the one provided via the ls command. (i.e the filename you downloaded). - -The above command will put the PyCharm software in your home folder. - -### How To Run PyCharm - -To run PyCharm first navigate to your home folder: - - ``` - cd ~ - ``` - -Run the ls command to find the folder name - - ``` - ls - ``` - -When you have the file name navigate into the pycharm folder as follows: - - ``` - cd pycharm-2016.2.3/bin - ``` - -Finally to run PyCharm run the following command: - - ``` - sh pycharm.sh & - ``` - -If you are running a desktop environment such as GNOME, KDE, Unity, Cinnamon or any other modern desktop you will also be able to use the menu or dash for that desktop environment to find PyCharm. - -### Summary - -Now that PyCharm is installed you can start creating desktop applications, web applications and all manner of tools. - -If you want to learn how to program in Python then it is worth checking out this guide which shows the best places for [learning resources][5]. The article is geared more towards learning Linux than Python but the resources such as Pluralsight and Udemy provide access to really good course for Python. - -To find out what features are available in PyCharm [click here][6] for a full overview. It covers everything from creating a project to describing the user interface, debugging and code refactoring. - ------------------------------------------------------------------------------------------------------------ - -via: https://www.lifewire.com/how-to-install-the-pycharm-python-ide-in-linux-4091033 - -作者:[ Gary Newell][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.lifewire.com/gary-newell-2180098 -[1]:https://www.jetbrains.com/pycharm/ -[2]:https://www.lifewire.com/example-uses-of-the-linux-gzip-command-4078675 -[3]:https://www.lifewire.com/uses-of-linux-command-tar-2201086 -[4]:https://www.lifewire.com/extract-tar-gz-files-2202057 -[5]:https://www.lifewire.com/learn-linux-in-structured-manner-4061368 -[6]:https://www.lifewire.com/pycharm-the-best-linux-python-ide-4091045 -[7]:https://fthmb.tqn.com/ju1u-Ju56vYnXabPbsVRyopd72Q=/768x0/filters:no_upscale()/about/pycharmstart-57e2cb405f9b586c351a4cf7.png From ce7e1a259714030d4b68c8e530f2035cbc7514ed Mon Sep 17 00:00:00 2001 From: xiaojin Date: Sat, 31 Dec 2016 02:22:49 +0800 Subject: [PATCH 130/181] =?UTF-8?q?Delete=2020161205=20Manage=20Samba4=20A?= =?UTF-8?q?ctive=20Directory=20Infrastructure=20from=20Windows10=20via=20R?= =?UTF-8?q?SAT=20=E2=80=93=20Part=203.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 翻译完成,删除原文 --- ...ucture from Windows10 via RSAT – Part 3.md | 362 ------------------ 1 file changed, 362 deletions(-) delete mode 100644 sources/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md diff --git a/sources/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md b/sources/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md deleted file mode 100644 index cf1b14118d..0000000000 --- a/sources/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md +++ /dev/null @@ -1,362 +0,0 @@ -Rusking translating - -Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3 -============================================================ - -In this part of the [Samba4 AD DC infrastructure series][8] we will talk on how join a Windows 10 machine into a Samba4 realm and how to administer the domain from a Windows 10 workstation. - -Once a Windows 10 system has been joined to Samba4 AD DC we can create, remove or disable domain users and groups, we can create new Organizational Units, we can create, edit and manage domain policy or we can manage Samba4 domain DNS service. - -All of the above functions and other complex tasks concerning domain administration can be achieved via any modern Windows platform with the help of RSAT – Microsoft Remote Server Administration Tools. - -#### Requirements - -1. [Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1][1] -2. [Manage Samba4 AD Infrastructure from Linux Command Line – Part 2][2] -3. [Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4][3] - -### Step 1: Configure Domain Time Synchronization - -1. Before starting to administer Samba4 ADDC from Windows 10 with the help of RSAT tools, we need to know and take care of a crucial piece of service required for an Active Directory and this service refers to [accurate time synchronization][9]. - -Time synchronization can be offered by NTP daemon in most of the Linux distributions. The default maximum time period discrepancy an AD can support is about 5 minutes. - -If the divergence time period is greater than 5 minutes you should start experience various errors, most important concerning AD users, joined machines or share access. - -To install Network Time Protocol daemon and NTP client utility in Ubuntu, execute the below command. - -``` -$ sudo apt-get install ntp ntpdate -``` -[ - ![Install NTP on Ubuntu](http://www.tecmint.com/wp-content/uploads/2016/12/Install-NTP-on-Ubuntu.png) -][10] - -Install NTP on Ubuntu - -2. Next, open and edit NTP configuration file and replace the default NTP pool server list with a new list of NTP servers which are geographically located near your current physical equipment location. - -The list of NTP servers can be obtained by visiting official NTP Pool Project webpage [http://www.pool.ntp.org/en/][11]. - -``` -$ sudo nano /etc/ntp.conf -``` - -Comment the default server list by adding a `#` in front of each pool line and add the below pool lines with your proper NTP servers as illustrated on the below screenshot. - -``` -pool 0.ro.pool.ntp.org iburst -pool 1.ro.pool.ntp.org iburst -pool 2.ro.pool.ntp.org iburst -# Use Ubuntu's ntp server as a fallback. -pool 3.ro.pool.ntp.org -``` -[ - ![Configure NTP Server in Ubuntu](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-NTP-Server-in-Ubuntu.png) -][12] - -Configure NTP Server in Ubuntu - -3. Now, don’t close the file yet. Move to the top at the file and add the below line after the driftfile statement. This setup allows the clients to query the server using AD signed NTP requests. - -``` -ntpsigndsocket /var/lib/samba/ntp_signd/ -``` -[ - ![Sync AD with NTP](http://www.tecmint.com/wp-content/uploads/2016/12/Sync-AD-with-NTP.png) -][13] - -Sync AD with NTP - -4. Finally, move to the bottom of the file and add the below line, as illustrated on the below screenshot, which will allow network clients only to query the time on the server. - -``` -restrict default kod nomodify notrap nopeer mssntp -``` -[ - ![Query Clients to NTP Server](http://www.tecmint.com/wp-content/uploads/2016/12/Query-Client-to-NTP-Server.png) -][14] - -Query Clients to NTP Server - -5. When finished, save and close the NTP configuration file and grant NTP service with the proper permissions in order to read the ntp_signed directory. - -This is the system path where Samba NTP socket is located. Afterwards, restart NTP daemon to apply changes and verify if NTP has open sockets in your system network table using [netstat command][15]combined with [grep filter][16]. - -``` -$ sudo chown root:ntp /var/lib/samba/ntp_signd/ -$ sudo chmod 750 /var/lib/samba/ntp_signd/ -$ sudo systemctl restart ntp -$ sudo netstat –tulpn | grep ntp -``` -[ - ![Grant Permission to NTP](http://www.tecmint.com/wp-content/uploads/2016/12/Grant-Permission-to-NTP.png) -][17] - -Grant Permission to NTP - -Use the ntpq command line utility to monitor NTP daemon along with the `-p` flag in order to print a summary of peers state. - -``` -$ ntpq -p -``` -[ - ![Monitor NTP Server Pool](http://www.tecmint.com/wp-content/uploads/2016/12/Monitor-NTP-Server-Pool.png) -][18] - -Monitor NTP Server Pool - -### Step 2: Troubleshoot NTP Time Issues - -6. Sometimes the NTP daemon gets stuck in calculations while trying to synchronize time with an upstream ntp server peer, resulting the following error messages when manually trying to force time synchronization by running ntpdate utility on a client side: - -``` -# ntpdate -qu adc1 -ntpdate[4472]: no server suitable for synchronization found -``` -[ - ![NTP Time Synchronization Error](http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Time-Synchronization-Error.png) -][19] - -NTP Time Synchronization Error - -when using ntpdate command with `-d` flag. - -``` -# ntpdate -d adc1.tecmint.lan -Server dropped: Leap not in sync -``` -[ - ![NTP Server Dropped Leap Not in Sync](http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Server-Dropped-Leap-Not-Sync.png) -][20] - -NTP Server Dropped Leap Not in Sync - -7. To circumvent this issue, use the following trick to solve the problem: On the server, stop the NTP service and use the ntpdate client utility to manually force time synchronization with an external peer using the `-b` flag as shown below: - -``` -# systemctl stop ntp.service -# ntpdate -b 2.ro.pool.ntp.org [your_ntp_peer] -# systemctl start ntp.service -# systemctl status ntp.service -``` -[ - ![Force NTP Time Synchronization](http://www.tecmint.com/wp-content/uploads/2016/12/Force-NTP-Time-Synchronization.png) -][21] - -Force NTP Time Synchronization - -8. After the time has been accurately synchronized, start the NTP daemon on the server and verify from the client side if the service is ready to serve time for local clients by issuing the following command: - -``` -# ntpdate -du adc1.tecmint.lan [your_adc_server] -``` -[ - ![Verify NTP Time Synchronization](http://www.tecmint.com/wp-content/uploads/2016/12/Verify-NTP-Time-Synchronization.png) -][22] - -Verify NTP Time Synchronization - -By now, NTP server should work as expected. - -### Step 3: Join Windows 10 into Realm - -9. As we saw in our previous tutorial, [Samba4 Active Directory can be managed from command line using samba-tool][23] utility interface which can be accessed directly from server’s VTY console or remotely connected through SSH. - -Other, more intuitively and flexible alternative, would be to manage our Samba4 AD Domain Controller via Microsoft Remote Server Administration Tools (RSAT) from a Windows workstation integrated into the domain. These tools are available in almost all modern Windows systems. - -The process of joining Windows 10 or older versions of Microsoft OS into Samba4 AD DC is very simple. First, make sure that your Windows 10 workstation has the correct Samba4 DNS IP address configured in order to query the proper realm resolver. - -Open Control panel -> Network and Internet -> Network and Sharing Center -> Ethernet card -> Properties -> IPv4 -> Properties -> Use the following DNS server addresses and manually place Samba4 AD IP Address to the network interface as illustrated in the below screenshots. - -[ - ![join Windows to Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-to-Samba4-AD.png) -][24] - -join Windows to Samba4 AD - -[ - ![Add DNS and Samba4 AD IP Address](http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-and-Samba4-AD-IP-Address.png) -][25] - -Add DNS and Samba4 AD IP Address - -Here, 192.168.1.254 is the IP Address of Samba4 AD Domain Controller responsible for DNS resolution. Replace the IP Address accordingly. - -10. Next, apply the network settings by hitting on OK button, open a Command Prompt and issue a pingagainst the generic domain name and Samba4 host FQDN in order to test if the realm is reachable through DNS resolution. - -``` -ping tecmint.lan -ping adc1.tecmint.lan -``` -[ - ![Check Network Connectivity Between Windows and Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/12/Check-Samba4-AD-from-Windows.png) -][26] - -Check Network Connectivity Between Windows and Samba4 AD - -11. If the resolver correctly responds to Windows client DNS queries, then, you need to assure that the time is accurately synchronized with the realm. - -Open Control Panel -> Clock, Language and Region -> Set Time and Date -> Internet Time tab -> Change Settings and write your domain name on Synchronize with and Internet time server field. - -Hit on Update Now button to force time synchronization with the realm and hit OK to close the window. - -[ - ![Synchronize Time with Internet Server](http://www.tecmint.com/wp-content/uploads/2016/12/Synchronize-Time-with-Internet-Server.png) -][27] - -Synchronize Time with Internet Server - -12. Finally, join the domain by opening System Properties -> Change -> Member of Domain, write your domain name, hit OK, enter your domain administrative account credentials and hit OK again. - -A new pop-up window should open informing you’re a member of the domain. Hit OK to close the pop-up window and reboot the machine in order to apply domain changes. - -The below screenshot will illustrate these steps. - -[ - ![Join Windows Domain to Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-Domain-to-Samba4-AD.png) -][28] - -Join Windows Domain to Samba4 AD - -[ - ![Enter Domain Administration Login](http://www.tecmint.com/wp-content/uploads/2016/12/Enter-Domain-Administration-Login.png) -][29] - -Enter Domain Administration Login - -[ - ![Domain Joined to Samba4 AD Confirmation](http://www.tecmint.com/wp-content/uploads/2016/12/Domain-Joined-to-Samba4-AD.png) -][30] - -Domain Joined to Samba4 AD Confirmation - -[ - ![Restart Windows Server for Changes](http://www.tecmint.com/wp-content/uploads/2016/12/Restart-Windows-Server-for-Changes.png) -][31] - -Restart Windows Server for Changes - -13. After restart, hit on Other user and logon to Windows with a Samba4 domain account with administrative privileges and you should be ready to move to the next step. - -[ - ![Login to Windows Using Samba4 AD Account](http://www.tecmint.com/wp-content/uploads/2016/12/Login-to-Windows-Using-Samba4-AD-Account.png) -][32] - -Login to Windows Using Samba4 AD Account - -#### Step 4: Administer Samba4 AD DC with RSAT - -14. Microsoft Remote Server Administration Tools (RSAT), which will be further used to administer Samba4 Active Directory, can be downloaded from the following links, depending on your Windows version: - -1. Windows 10: [https://www.microsoft.com/en-us/download/details.aspx?id=45520][4] -2. Windows 8.1: [http://www.microsoft.com/en-us/download/details.aspx?id=39296][5] -3. Windows 8: [http://www.microsoft.com/en-us/download/details.aspx?id=28972][6] -4. Windows 7: [http://www.microsoft.com/en-us/download/details.aspx?id=7887][7] - -Once the update standalone installer package for Windows 10 has been downloaded on your system, run the installer, wait for the installation to finish and restart the machine to apply all updates. - -After reboot, open Control Panel -> Programs (Uninstall a Program) -> Turn Windows features on or offand check all Remote Server Administration Tools. - -Click OK to start the installation and after the installation process finishes, restart the system. - -[ - ![Administer Samba4 AD from Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Administer-Samba4-AD-from-Windows.png) -][33] - -Administer Samba4 AD from Windows - -15. To access RSAT tools go to Control Panel -> System and Security -> Administrative Tools. - -The tools can also be found in the Administrative tools menu from start menu. Alternatively, you can open Windows MMC and add Snap-ins using the File -> Add/Remove Snap-in menu. - -[ - ![Access Remote Server Administration Tools](http://www.tecmint.com/wp-content/uploads/2016/12/Access-Remote-Server-Administration-Tools.png) -][34] - -Access Remote Server Administration Tools - -The most used tools, such as AD UC, DNS and Group Policy Management can be launched directly from Desktop by creating shortcuts using Send to feature from menu. - -16. You can verify RSAT functionality by opening AD UC and list domain Computers (newly joined windows machine should appear in the list), create a new Organizational Unit or a new user or group. - -Verify if the users or groups had been properly created by issuing wbinfo command from Samba4 server side. - -[ - ![Active Directory Users and Computers](http://www.tecmint.com/wp-content/uploads/2016/12/Active-Directory-Users-and-Computers.png) -][35] - -Active Directory Users and Computers - -[ - ![Create Organizational Units and New Users](http://www.tecmint.com/wp-content/uploads/2016/12/Create-Organizational-Unit-and-Users.png) -][36] - -Create Organizational Units and New Users - -[ - ![Confirm Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/12/Confirm-Samba4-AD-Users.png) -][37] - -Confirm Samba4 AD Users - -That’s it! On the next part of this topic we will cover other important aspects of a Samba4 Active Directory which can be administered via RSAT, such as, how to manage DNS server, add DNS records and create a reverse DNS lookup zone, how to manage and apply domain policy and how to create an interactive logon banner for your domain users. - ------- - -作者简介:I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting. - - --------------------------------------------------------------------------------- - -via: http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ - -作者:[Matei Cezar ][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:http://www.tecmint.com/author/cezarmatei/ -[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ -[2]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ -[3]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/ -[4]:https://www.microsoft.com/en-us/download/details.aspx?id=45520 -[5]:http://www.microsoft.com/en-us/download/details.aspx?id=39296 -[6]:http://www.microsoft.com/en-us/download/details.aspx?id=28972 -[7]:http://www.microsoft.com/en-us/download/details.aspx?id=7887 -[8]:http://www.tecmint.com/category/samba4-active-directory/ -[9]:http://www.tecmint.com/how-to-synchronize-time-with-ntp-server-in-ubuntu-linux-mint-xubuntu-debian/ -[10]:http://www.tecmint.com/wp-content/uploads/2016/12/Install-NTP-on-Ubuntu.png -[11]:http://www.pool.ntp.org/en/ -[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-NTP-Server-in-Ubuntu.png -[13]:http://www.tecmint.com/wp-content/uploads/2016/12/Sync-AD-with-NTP.png -[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Query-Client-to-NTP-Server.png -[15]:http://www.tecmint.com/20-netstat-commands-for-linux-network-management/ -[16]:http://www.tecmint.com/12-practical-examples-of-linux-grep-command/ -[17]:http://www.tecmint.com/wp-content/uploads/2016/12/Grant-Permission-to-NTP.png -[18]:http://www.tecmint.com/wp-content/uploads/2016/12/Monitor-NTP-Server-Pool.png -[19]:http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Time-Synchronization-Error.png -[20]:http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Server-Dropped-Leap-Not-Sync.png -[21]:http://www.tecmint.com/wp-content/uploads/2016/12/Force-NTP-Time-Synchronization.png -[22]:http://www.tecmint.com/wp-content/uploads/2016/12/Verify-NTP-Time-Synchronization.png -[23]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ -[24]:http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-to-Samba4-AD.png -[25]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-and-Samba4-AD-IP-Address.png -[26]:http://www.tecmint.com/wp-content/uploads/2016/12/Check-Samba4-AD-from-Windows.png -[27]:http://www.tecmint.com/wp-content/uploads/2016/12/Synchronize-Time-with-Internet-Server.png -[28]:http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-Domain-to-Samba4-AD.png -[29]:http://www.tecmint.com/wp-content/uploads/2016/12/Enter-Domain-Administration-Login.png -[30]:http://www.tecmint.com/wp-content/uploads/2016/12/Domain-Joined-to-Samba4-AD.png -[31]:http://www.tecmint.com/wp-content/uploads/2016/12/Restart-Windows-Server-for-Changes.png -[32]:http://www.tecmint.com/wp-content/uploads/2016/12/Login-to-Windows-Using-Samba4-AD-Account.png -[33]:http://www.tecmint.com/wp-content/uploads/2016/12/Administer-Samba4-AD-from-Windows.png -[34]:http://www.tecmint.com/wp-content/uploads/2016/12/Access-Remote-Server-Administration-Tools.png -[35]:http://www.tecmint.com/wp-content/uploads/2016/12/Active-Directory-Users-and-Computers.png -[36]:http://www.tecmint.com/wp-content/uploads/2016/12/Create-Organizational-Unit-and-Users.png -[37]:http://www.tecmint.com/wp-content/uploads/2016/12/Confirm-Samba4-AD-Users.png -[38]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# -[39]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# -[40]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# -[41]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# -[42]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/#comments From fe00ab07e38ffc8af5a7d8d77af59ea027b25807 Mon Sep 17 00:00:00 2001 From: xiaojin Date: Sat, 31 Dec 2016 02:25:06 +0800 Subject: [PATCH 131/181] =?UTF-8?q?20161205=20Manage=20Samba4=20Active=20D?= =?UTF-8?q?irectory=20Infrastructure=20from=20Windows10=20via=20RSAT=20?= =?UTF-8?q?=E2=80=93=20Part=203.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 翻译完成,添加译文 --- ...ucture from Windows10 via RSAT – Part 3.md | 357 ++++++++++++++++++ 1 file changed, 357 insertions(+) create mode 100644 translated/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md diff --git a/translated/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md b/translated/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md new file mode 100644 index 0000000000..c5f2e4c810 --- /dev/null +++ b/translated/tech/20161205 Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3.md @@ -0,0 +1,357 @@ +Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3 +============================================================ +使用 Windows 10 系统的 RSAT 工具来管理 Samba4 活动目录架构 (三) + +这一节的[Samba4 AD DC 架构系列文章][8],我们将会讨论如何把 Windows 10 系统的电脑添加到 Samba4 域环境中,以及如何在 Windows 10 系统下管理域环境。 + +一旦 Windows 10 系统加入到 Samba4 AD DC ,我们就可以在 Windows 10 系统中创建、删除或者禁用域用户和组了,可以创建新的组织单元,创建、编辑和管理域策略,还可以管理 Samba4 域 DNS 服务。 + +上面所有的功能和其它一些复杂的与域管理相关的工作都可以通过 Windows 环境下的 RSAT 工具来完成—— Microsoft 远程服务器管理工具。 + +#### 要求 + +1、 [在 Ubuntu16.04 系统上使用 Samba4 软件来创建活动目录架构(一)][1] +2、 [在 Linux 命令行下管理 Samba4 AD 架构(二)][2] +3、 [在 Windows 下管理 Samba4 AD 域管制器 DNS 和组策略(四)][3] + +### 第1步:配置域时间同步 + +1、在使用 Windows 10 系统的 RSAT 工具来管理 Samba4 ADDC 之前,我们需要了解与活动目录相关的一个很重要的服务,该服务要求[精确的时间同步][9] + +在大多数的 Linux 发行版中,NTP 进程都提供时间同步机制。AD 环境默认允许最大的时间差距是 5 分钟。 + +如果时间差距超过 5 分钟,你将会遇到各种各样的异常报错,影响最严重的是导致 AD 用户,域成员服务器或共享访问相关的问题。 + +为了在 Ubuntu 系统中安装网络时间协议进程和 NTP 客户端工具,可执行以下命令: + +``` +$ sudo apt-get install ntp ntpdate +``` +[ + ![Install NTP on Ubuntu](http://www.tecmint.com/wp-content/uploads/2016/12/Install-NTP-on-Ubuntu.png) +][10] + +在 Ubuntu 系统下安装 NTP 服务 + +2、下一步,修改 NTP 配置文件,使用一个离你最近的 NTP 服务地址列表替换默认的 NTP 池服务列表。 + + NTP 服务器地址列表可以从 NTP 地址库项目官方网站获取:[http://www.pool.ntp.org/en/][11]. + +``` +$ sudo nano /etc/ntp.conf +``` + +在每一行 pool 前添加一个 ‘#’ 符号以注释默认的服务器列表,并替换为适合你的 NTP 服务地址,如下图所示: + +``` +pool 0.ro.pool.ntp.org iburst +pool 1.ro.pool.ntp.org iburst +pool 2.ro.pool.ntp.org iburst +# Use Ubuntu's ntp server as a fallback. +pool 3.ro.pool.ntp.org +``` +[ + ![Configure NTP Server in Ubuntu](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-NTP-Server-in-Ubuntu.png) +][12] + +在 Ubuntu 系统下配置 NTP 服务 + +3、此时,先不要关闭该文件。移动光标到文件顶部,在 driftfile 参数后面添加下面一行内容。该设置是为了让客户端查询该服务时使用 AD NTP 签署请求。 + +``` +ntpsigndsocket /var/lib/samba/ntp_signd/ +``` +[ + ![Sync AD with NTP](http://www.tecmint.com/wp-content/uploads/2016/12/Sync-AD-with-NTP.png) +][13] + +使用 NTP 来同步 AD + +4、最后,移动光标到文件底部并添加如下面一行内容,如截图所示,仅允许网络客户端查询该服务器上的时间。 +``` +restrict default kod nomodify notrap nopeer mssntp +``` +[ + ![Query Clients to NTP Server](http://www.tecmint.com/wp-content/uploads/2016/12/Query-Client-to-NTP-Server.png) +][14] + +限制 NPT 服务的查询客户端 + +5、设置完成之后,保存并关闭 NTP 配置文件,为了让 NTP 服务读取 ntp_signed 目录,需要授予 NTP 服务合适的权限。 + +以下是 Samba NTP socket 的系统路径。之后,重启 NTP 服务以应用更改,并使用 [netstat 命令][15]与[grep 过滤][16]相接合来检查 NTP服务是否正常。 + +``` +$ sudo chown root:ntp /var/lib/samba/ntp_signd/ +$ sudo chmod 750 /var/lib/samba/ntp_signd/ +$ sudo systemctl restart ntp +$ sudo netstat –tulpn | grep ntp +``` +[ + ![Grant Permission to NTP](http://www.tecmint.com/wp-content/uploads/2016/12/Grant-Permission-to-NTP.png) +][17] + +NTP 授权 + +使用 ntpq 命令行工具来监控 NTP 进程,加上 '-p' 参数来显示摘要信息。 + +``` +$ ntpq -p +``` +[ + ![Monitor NTP Server Pool](http://www.tecmint.com/wp-content/uploads/2016/12/Monitor-NTP-Server-Pool.png) +][18] + +监控 NTP Server Pool + +### 第二步:处理 NTP 时间同步异常问题 + +6、有时候 NTP 进程在尝试与上游 ntp 服务端同步时间的计算过程中会卡住,导致客户端使用 ntpdate 工具手动强制同步时间时报如下错误: + +``` +# ntpdate -qu adc1 +ntpdate[4472]: no server suitable for synchronization found +``` +[ + ![NTP Time Synchronization Error](http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Time-Synchronization-Error.png) +][19] + +NTP 时间同步异常 + +ntpdate 命令加上 -d 选项 + +``` +# ntpdate -d adc1.tecmint.lan +Server dropped: Leap not in sync +``` +[ + ![NTP Server Dropped Leap Not in Sync](http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Server-Dropped-Leap-Not-Sync.png) +][20] + +NTP Server Dropped Leap Not in Sync + +7、为了避免出现该问题,使用下面的方法来解决这个问题:在服务器上停止 NTP 服务,使用 ntpdate 客户端工具加上 '-b' 参数指定外部 peer 地址来手动强制同步时间,如下图所示: + +``` +# systemctl stop ntp.service +# ntpdate -b 2.ro.pool.ntp.org [your_ntp_peer] +# systemctl start ntp.service +# systemctl status ntp.service +``` +[ + ![Force NTP Time Synchronization](http://www.tecmint.com/wp-content/uploads/2016/12/Force-NTP-Time-Synchronization.png) +][21] + +强制 NTP 时间同步 + +8、当时间正确同步之后,启动服务器上的 NTP 服务,并且在客户端服务器上执行如下命令来验证 NTP 时间同步服务是否可用: + +``` +# ntpdate -du adc1.tecmint.lan [your_adc_server] +``` +[ + ![Verify NTP Time Synchronization](http://www.tecmint.com/wp-content/uploads/2016/12/Verify-NTP-Time-Synchronization.png) +][22] + +验证 NTP 时间同步 + +至此, NTP 服务应该已经工作正常了。 + +### 第 3 步:把 Windows 10 系统加入域环境 + +9、从我们的前一篇文章可以看出,[Samba4 活动目录可以使用 samba-tool 工具在命令行下管理][23],可以直接在服务器上的 VTY 控制台或者通过 SSH 工具远程连接到服务器上进行管理。 + +另外,更直观更灵活的方式是使用已加入域的 Windows 电脑中的微软远程服务器管理工具(RSAT)来管理我们的 Samba4 AD 域控制器。这些工具在当前的大多数 Windows 系统中都可以使用。 + +把 Windows 10 或是之前版本的微软操作系统加入到 Samba4 AD DC 环境中的过程也是非常容易的。首先,确保你的 Windows 10 电脑已经设置了正确的 Samba4 DNS 服务器的 IP 地址,以查询出准确的域解析结果。 + +打开控制面板 -> 网络和 Internet -> 网络和共享中心 -> 网卡设置 -> 属性 -> IPv4 -> 属性 -> 使用下面的 DNS 服务器地址,并且手动输入 Samba4 AD 服务器的 IP 地址,如下图所示: + +[ + ![join Windows to Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-to-Samba4-AD.png) +][24] + +把 Windows 10 加入到 Samba4 AD 环境 + +[ + ![Add DNS and Samba4 AD IP Address](http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-and-Samba4-AD-IP-Address.png) +][25] + +添加 DNS 和 Samba4 AD 服务器地址 + +这里的 192.168.1.254 是 Samba4 AD 域控服务器的地址,用于域名解析。按顺序替换 IP 地址。 + +10、下一步,点击 OK 按钮以应用网络设置,打开 CMD 命令行窗口,通过 ping 域名和 Samba4 服务器的 FQDN 地址来测试通过 DNS 解析到域是否连通。 + +``` +ping tecmint.lan +ping adc1.tecmint.lan +``` +[ + ![Check Network Connectivity Between Windows and Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/12/Check-Samba4-AD-from-Windows.png) +][26] + +检查Windows 和 Samb4 AD 服务器的网络连通性 + +11、如果 Windows 客户端 DNS 查询的结果解析正确,那么,你还需要确认客户端时间是否已跟域环境同步。 + +打开控制面板 -> 时钟、语言和区域 -> 设置时间和日期 -> Internet 时间页 -> 更改设置,输入你同步时间的域名和 Internet 时间服务器字段。 + +点击立即更新按钮来强制与域同步时间,点击 OK 关闭窗口。 + +[ + ![Synchronize Time with Internet Server](http://www.tecmint.com/wp-content/uploads/2016/12/Synchronize-Time-with-Internet-Server.png) +][27] + +与 Internet 服务器同步时间 + +12、最后,通过打开系统属性 -> 更改 -> 域成员 -> 输入域名,点击 OK,输入你的域管理员账号和密码,再次点击 OK。 + + +应该弹出一个新的窗口通知你已经是一个域成员了。点击 OK 关闭弹出窗口,并且重启机器以应用域更改。 + + +下面的截图将说明这些操作步骤。 + +[ + ![Join Windows Domain to Samba4 AD](http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-Domain-to-Samba4-AD.png) +][28] + +把 Windows 域加入到 Samba4 AD 环境 +[ + ![Enter Domain Administration Login](http://www.tecmint.com/wp-content/uploads/2016/12/Enter-Domain-Administration-Login.png) +][29] + +输入域管理员账号登录 + +[ + ![Domain Joined to Samba4 AD Confirmation](http://www.tecmint.com/wp-content/uploads/2016/12/Domain-Joined-to-Samba4-AD.png) +][30] + +确认域已加入到 Samba4 AD 环境 + +[ + ![Restart Windows Server for Changes](http://www.tecmint.com/wp-content/uploads/2016/12/Restart-Windows-Server-for-Changes.png) +][31] + +重启 Windows 服务器以应用更改 + +13、重启之后,单击其它用户并且使用具有管理员权限的 Samba4 域账号登录到 Windows 系统,你已经准备好进入到后边几个步骤了。 + +[ + ![Login to Windows Using Samba4 AD Account](http://www.tecmint.com/wp-content/uploads/2016/12/Login-to-Windows-Using-Samba4-AD-Account.png) +][32] + +使用 Samba4 AD 账号登录到 Windows + +#### 第 4 步:使用 RSAT 工具来管理 Samba4 AD DC + +14、微软远程服务器管理工具(RSAT)被广泛地用来管理 Samba4 活动目录,你可以根据你的 Windows 系统版本从下面的地址来下载该工具: + +1. Windows 10: [https://www.microsoft.com/en-us/download/details.aspx?id=45520][4] +2. Windows 8.1: [http://www.microsoft.com/en-us/download/details.aspx?id=39296][5] +3. Windows 8: [http://www.microsoft.com/en-us/download/details.aspx?id=28972][6] +4. Windows 7: [http://www.microsoft.com/en-us/download/details.aspx?id=7887][7] + +一旦 Windows 10 独立安装包下载完成,运行安装包,等待安装完成并重启机器以应用所有更新。 + +重启之后,打开控制面板 -> 程序(卸载程序) -> 启用或关闭 Windows 功能,勾选所有的远程服务器管理工具。 + +点击 OK 开始安装,安装完成之后重启系统。 +[ + ![Administer Samba4 AD from Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Administer-Samba4-AD-from-Windows.png) +][33] + +从 Windows 系统下管理 Samba4 AD + + +15、要进入 RSAT 工具集,打开控制面板 -> 系统和安全 -> 管理工具 + +这些工具也可以在开始工菜单的管理工具菜单中找到。另外,你也可以打开 Windows MMC 工具和管理单元,从文件 -> 添加/删除管理单元菜单中访问它们。 + +[ + ![Access Remote Server Administration Tools](http://www.tecmint.com/wp-content/uploads/2016/12/Access-Remote-Server-Administration-Tools.png) +][34] + +访问远程服务器管理工具集 + +最常用的工具,比如 AD UC ,DNS 和组策略管理工具可以通过从右键菜单发送到功能来新建快捷方式到桌面直接运行。 + +16、你可以通过 AD UC 和列出域里的电脑(新加入的 Windows 机器应该出现在列表中)来验证 RSAT 功能,创建一个组织单元或组。 + +在 Samba4 服务器上使用 wbinf 命令来检查用户和组是否已经创建成功。 +[ + ![Active Directory Users and Computers](http://www.tecmint.com/wp-content/uploads/2016/12/Active-Directory-Users-and-Computers.png) +][35] + +活动目录用户和计算机 + +[ + ![Create Organizational Units and New Users](http://www.tecmint.com/wp-content/uploads/2016/12/Create-Organizational-Unit-and-Users.png) +][36] + +创建组织单元和新用户 +[ + ![Confirm Samba4 AD Users](http://www.tecmint.com/wp-content/uploads/2016/12/Confirm-Samba4-AD-Users.png) +][37] + +确认 Samba4 AD 用户 + +就这些吧!该主题的下一篇文章将包含其它 Samba4 活动目录的重要内容,包括通过 RSAT 工具来管理 Samba4 活动目录,比如,如何管理 DNS 服务器,添加 DNS 记录和创建 DNS 解析查询区,如何管理及应用域策略以及域用户如何创建交互式登录提示信息。 + +------ +作者简介:我是一个电脑迷,开源软件及 Linux 系统爱好者,有近4年的 Linux 桌面和服务器系统及 bash 编程经验。 + +-------------------------------------------------------------------------------- + +via: http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ + +作者:[Matei Cezar ][a] +译者:[rusking](https://github.com/rusking) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/cezarmatei/ +[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ +[2]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ +[3]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/ +[4]:https://www.microsoft.com/en-us/download/details.aspx?id=45520 +[5]:http://www.microsoft.com/en-us/download/details.aspx?id=39296 +[6]:http://www.microsoft.com/en-us/download/details.aspx?id=28972 +[7]:http://www.microsoft.com/en-us/download/details.aspx?id=7887 +[8]:http://www.tecmint.com/category/samba4-active-directory/ +[9]:http://www.tecmint.com/how-to-synchronize-time-with-ntp-server-in-ubuntu-linux-mint-xubuntu-debian/ +[10]:http://www.tecmint.com/wp-content/uploads/2016/12/Install-NTP-on-Ubuntu.png +[11]:http://www.pool.ntp.org/en/ +[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-NTP-Server-in-Ubuntu.png +[13]:http://www.tecmint.com/wp-content/uploads/2016/12/Sync-AD-with-NTP.png +[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Query-Client-to-NTP-Server.png +[15]:http://www.tecmint.com/20-netstat-commands-for-linux-network-management/ +[16]:http://www.tecmint.com/12-practical-examples-of-linux-grep-command/ +[17]:http://www.tecmint.com/wp-content/uploads/2016/12/Grant-Permission-to-NTP.png +[18]:http://www.tecmint.com/wp-content/uploads/2016/12/Monitor-NTP-Server-Pool.png +[19]:http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Time-Synchronization-Error.png +[20]:http://www.tecmint.com/wp-content/uploads/2016/12/NTP-Server-Dropped-Leap-Not-Sync.png +[21]:http://www.tecmint.com/wp-content/uploads/2016/12/Force-NTP-Time-Synchronization.png +[22]:http://www.tecmint.com/wp-content/uploads/2016/12/Verify-NTP-Time-Synchronization.png +[23]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ +[24]:http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-to-Samba4-AD.png +[25]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-and-Samba4-AD-IP-Address.png +[26]:http://www.tecmint.com/wp-content/uploads/2016/12/Check-Samba4-AD-from-Windows.png +[27]:http://www.tecmint.com/wp-content/uploads/2016/12/Synchronize-Time-with-Internet-Server.png +[28]:http://www.tecmint.com/wp-content/uploads/2016/12/Join-Windows-Domain-to-Samba4-AD.png +[29]:http://www.tecmint.com/wp-content/uploads/2016/12/Enter-Domain-Administration-Login.png +[30]:http://www.tecmint.com/wp-content/uploads/2016/12/Domain-Joined-to-Samba4-AD.png +[31]:http://www.tecmint.com/wp-content/uploads/2016/12/Restart-Windows-Server-for-Changes.png +[32]:http://www.tecmint.com/wp-content/uploads/2016/12/Login-to-Windows-Using-Samba4-AD-Account.png +[33]:http://www.tecmint.com/wp-content/uploads/2016/12/Administer-Samba4-AD-from-Windows.png +[34]:http://www.tecmint.com/wp-content/uploads/2016/12/Access-Remote-Server-Administration-Tools.png +[35]:http://www.tecmint.com/wp-content/uploads/2016/12/Active-Directory-Users-and-Computers.png +[36]:http://www.tecmint.com/wp-content/uploads/2016/12/Create-Organizational-Unit-and-Users.png +[37]:http://www.tecmint.com/wp-content/uploads/2016/12/Confirm-Samba4-AD-Users.png +[38]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# +[39]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# +[40]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# +[41]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/# +[42]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/#comments From d4a2569d66e1d23f2b6a3ca7ec93bc710642edb4 Mon Sep 17 00:00:00 2001 From: Ezio Date: Sat, 31 Dec 2016 13:37:15 +0800 Subject: [PATCH 132/181] =?UTF-8?q?20161231-1=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sources/tech/20160425 What is SRE.md | 83 ++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 sources/tech/20160425 What is SRE.md diff --git a/sources/tech/20160425 What is SRE.md b/sources/tech/20160425 What is SRE.md new file mode 100644 index 0000000000..7a0fa7e513 --- /dev/null +++ b/sources/tech/20160425 What is SRE.md @@ -0,0 +1,83 @@ +What is SRE (Site Reliability Engineering)? +============================================================ + +Site Reliability Engineer is a job title we are starting to see more and more these days. What does it mean? Where does it come from? Learn from Google's SRE team. + + ![Bridge](https://d3tdunqjn7n0wj.cloudfront.net/360x240/bridge-1031545-1400-389c9609ff7c64083c93db48dc77eeff.jpg) + +This is an excerpt from [Site Reliability Engineering][9], edited by Niall Richard Murphy, Jennifer Petoff, Chris Jones, Betsy Beyer. + +Site Reliability Engineering will also be covered at the [O'Reilly Velocity Conference, Nov. 7-10 in Amsterdam][10]. + +### Introduction + +> Hope is not a strategy. +> +> Traditional SRE saying + +It is a truth universally acknowledged that systems do not run themselves. How, then, _should_ a system—particularly a complex computing system that operates at a large scale—be run? + + +### The Sysadmin Approach to Service Management + +The sysadmin model of service management has several advantages. For companies deciding how to run and staff a service, this approach is relatively easy to implement: as a familiar industry paradigm, there are many examples from which to learn and emulate. A relevant talent pool is already widely available. An array of existing tools, software components (off the shelf or otherwise), and integration companies are available to help run those assembled systems, so a novice sysadmin team doesn’t have to reinvent the wheel and design a system from scratch. + +Traditional operations teams and their counterparts in product development thus often end up in conflict, most visibly over how quickly software can be released to production. At their core, the development teams want to launch new features and see them adopted by users. At _their_ core, the ops teams want to make sure the service doesn’t break while they are holding the pager. Because most outages are caused by some kind of change—a new configuration, a new feature launch, or a new type of user traffic—the two teams’ goals are fundamentally in tension. + +Both groups understand that it is unacceptable to state their interests in the baldest possible terms ("We want to launch anything, any time, without hindrance" versus "We won’t want to ever change anything in the system once it works"). And because their vocabulary and risk assumptions differ, both groups often resort to a familiar form of trench warfare to advance their interests. The ops team attempts to safeguard the running system against the risk of change by introducing launch and change gates. For example, launch reviews may contain an explicit check for _every_ problem that has _ever_ caused an outage in the past—that could be an arbitrarily long list, with not all elements providing equal value. The dev team quickly learns how to respond. They have fewer "launches" and more "flag flips," "incremental updates," or "cherrypicks." They adopt tactics such as sharding the product so that fewer features are subject to the launch review. + + +### Google’s Approach to Service Management: Site Reliability Engineering + +Conflict isn’t an inevitable part of offering a software service. Google has chosen to run our systems with a different approach: our Site Reliability Engineering teams focus on hiring software engineers to run our products and to create systems to accomplish the work that would otherwise be performed, often manually, by sysadmins. + +What exactly is Site Reliability Engineering, as it has come to be defined at Google? My explanation is simple: SRE is what happens when you ask a software engineer to design an operations team. When I joined Google in 2003 and was tasked with running a "Production Team" of seven engineers, my entire life up to that point had been software engineering. So I designed and managed the group the way _I_ would want it to work if I worked as an SRE myself. That group has since matured to become Google’s present-day SRE team, which remains true to its origins as envisioned by a lifelong software engineer. + +A primary building block of Google’s approach to service management is the composition of each SRE team. As a whole, SRE can be broken down two main categories. + +50–60% are Google Software Engineers, or more precisely, people who have been hired via the standard procedure for Google Software Engineers. The other 40–50% are candidates who were very close to the Google Software Engineering qualifications (i.e., 85–99% of the skill set required), and who _in addition_ had a set of technical skills that is useful to SRE but is rare for most software engineers. By far, UNIX system internals and networking (Layer 1 to Layer 3) expertise are the two most common types of alternate technical skills we seek. + +Common to all SREs is the belief in and aptitude for developing software systems to solve complex problems. Within SRE, we track the career progress of both groups closely, and have to date found no practical difference in performance between engineers from the two tracks. In fact, the somewhat diverse background of the SRE team frequently results in clever, high-quality systems that are clearly the product of the synthesis of several skill sets. + +The result of our approach to hiring for SRE is that we end up with a team of people who (a) will quickly become bored by performing tasks by hand, and (b) have the skill set necessary to write software to replace their previously manual work, even when the solution is complicated. SREs also end up sharing academic and intellectual background with the rest of the development organization. Therefore, SRE is fundamentally doing work that has historically been done by an operations team, but using engineers with software expertise, and banking on the fact that these engineers are inherently both predisposed to, and have the ability to, design and implement automation with software to replace human labor. + +By design, it is crucial that SRE teams are focused on engineering. Without constant engineering, operations load increases and teams will need more people just to keep pace with the workload. Eventually, a traditional ops-focused group scales linearly with service size: if the products supported by the service succeed, the operational load will grow with traffic. That means hiring more people to do the same tasks over and over again. + +To avoid this fate, the team tasked with managing a service needs to code or it will drown. Therefore, Google places _a 50% cap on the aggregate "ops" work for all SREs_—tickets, on-call, manual tasks, etc. This cap ensures that the SRE team has enough time in their schedule to make the service stable and operable. This cap is an upper bound; over time, left to their own devices, the SRE team should end up with very little operational load and almost entirely engage in development tasks, because the service basically runs and repairs itself: we want systems that are _automatic_, not just _automated_. In practice, scale and new features keep SREs on their toes. + +Google’s rule of thumb is that an SRE team must spend the remaining 50% of its time actually doing development. So how do we enforce that threshold? In the first place, we have to measure how SRE time is spent. With that measurement in hand, we ensure that the teams consistently spending less than 50% of their time on development work change their practices. Often this means shifting some of the operations burden back to the development team, or adding staff to the team without assigning that team additional operational responsibilities. Consciously maintaining this balance between ops and development work allows us to ensure that SREs have the bandwidth to engage in creative, autonomous engineering, while still retaining the wisdom gleaned from the operations side of running a service. + +We’ve found that Google SRE’s approach to running large-scale systems has many advantages. Because SREs are directly modifying code in their pursuit of making Google’s systems run themselves, SRE teams are characterized by both rapid innovation and a large acceptance of change. Such teams are relatively inexpensive—supporting the same service with an ops-oriented team would require a significantly larger number of people. Instead, the number of SREs needed to run, maintain, and improve a system scales sublinearly with the size of the system. Finally, not only does SRE circumvent the dysfunctionality of the dev/ops split, but this structure also improves our product development teams: easy transfers between product development and SRE teams cross-train the entire group, and improve skills of developers who otherwise may have difficulty learning how to build a million-core distributed system. + +Despite these net gains, the SRE model is characterized by its own distinct set of challenges. One continual challenge Google faces is hiring SREs: not only does SRE compete for the same candidates as the product development hiring pipeline, but the fact that we set the hiring bar so high in terms of both coding and system engineering skills means that our hiring pool is necessarily small. As our discipline is relatively new and unique, not much industry information exists on how to build and manage an SRE team (although hopefully this book will make strides in that direction!). And once an SRE team is in place, their potentially unorthodox approaches to service management require strong management support. For example, the decision to stop releases for the remainder of the quarter once an error budget is depleted might not be embraced by a product development team unless mandated by their management. + +###### DevOps or SRE? + +The term “DevOps” emerged in industry in late 2008 and as of this writing (early 2016) is still in a state of flux. Its core principles—involvement of the IT function in each phase of a system’s design and development, heavy reliance on automation versus human effort, the application of engineering practices and tools to operations tasks—are consistent with many of SRE’s principles and practices. One could view DevOps as a generalization of several core SRE principles to a wider range of organizations, management structures, and personnel. One could equivalently view SRE as a specific implementation of DevOps with some idiosyncratic extensions. + +------------------------ + +作者简介:Benjamin Treynor Sloss coined the term "Site Reliability Engineering" and has been responsible for global operations, networking, and production engineering at Google since 2003\. As of 2016, he manages a team of approximately 4,000 software, hardware, and network engineers across the globe. + +-------------------------------------------------------------------------------- + +via: https://www.oreilly.com/ideas/what-is-sre-site-reliability-engineering + +作者:[Benjamin Treynor][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.oreilly.com/people/benjamin-treynor-sloss +[1]:https://shop.oreilly.com/product/0636920053385.do +[2]:https://shop.oreilly.com/product/0636920053385.do +[3]:https://www.oreilly.com/ideas/what-is-sre-site-reliability-engineering +[4]:https://shop.oreilly.com/product/0636920053385.do +[5]:https://shop.oreilly.com/product/0636920053385.do +[6]:https://www.oreilly.com/people/benjamin-treynor-sloss +[7]:https://pixabay.com/ +[8]:https://www.oreilly.com/people/benjamin-treynor-sloss +[9]:http://shop.oreilly.com/product/0636920041528.do?intcmp=il-webops-books-videos-update-na_new_site_site_reliability_engineering_text_cta +[10]:http://conferences.oreilly.com/velocity/devops-web-performance-eu?intcmp=il-webops-confreg-update-vleu16_new_site_what_is_sre_text_cta +[11]:https://pixabay.com/ From f6b30e60b313ed076da00d743a105a2a9ecabc39 Mon Sep 17 00:00:00 2001 From: Ezio Date: Sat, 31 Dec 2016 13:46:13 +0800 Subject: [PATCH 133/181] =?UTF-8?q?20161231-2=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...0160325 Network automation with Ansible.md | 995 ++++++++++++++++++ 1 file changed, 995 insertions(+) create mode 100644 sources/tech/20160325 Network automation with Ansible.md diff --git a/sources/tech/20160325 Network automation with Ansible.md b/sources/tech/20160325 Network automation with Ansible.md new file mode 100644 index 0000000000..0f543a3c18 --- /dev/null +++ b/sources/tech/20160325 Network automation with Ansible.md @@ -0,0 +1,995 @@ +Network automation with Ansible +================ + +### Network Automation + +As the IT industry transforms with technologies from server virtualization to public and private clouds with self-service capabilities, containerized applications, and Platform as a Service (PaaS) offerings, one of the areas that continues to lag behind is the network. + +Over the past 5+ years, the network industry has seen many new trends emerge, many of which are categorized as software-defined networking (SDN). + +###### Note + +SDN is a new approach to building, managing, operating, and deploying networks. The original definition for SDN was that there needed to be a physical separation of the control plane from the data (packet forwarding) plane, and the decoupled control plane must control several devices. + +Nowadays, many more technologies get put under the _SDN umbrella_, including controller-based networks, APIs on network devices, network automation, whitebox switches, policy networking, Network Functions Virtualization (NFV), and the list goes on. + +For purposes of this report, we refer to SDN solutions as solutions that include a network controller as part of the solution, and improve manageability of the network but don’t necessarily decouple the control plane from the data plane. + +One of these trends is the emergence of application programming interfaces (APIs) on network devices as a way to manage and operate these devices and truly offer machine to machine communication. APIs simplify the development process when it comes to automation and building network applications, providing more structure on how data is modeled. For example, when API-enabled devices return data in JSON/XML, it is structured and easier to work with as compared to CLI-only devices that return raw text that then needs to be manually parsed. + +Prior to APIs, the two primary mechanisms used to configure and manage network devices were the command-line interface (CLI) and Simple Network Management Protocol (SNMP). If we look at each of those, the CLI was meant as a human interface to the device, and SNMP wasn’t built to be a real-time programmatic interface for network devices. + +Luckily, as many vendors scramble to add APIs to devices, sometimes _just because_ it’s a check in the box on an RFP, there is actually a great byproduct—enabling network automation. Once a true API is exposed, the process for accessing data within the device, as well as managing the configuration, is greatly simplified, but as we’ll review in this report, automation is also possible using more traditional methods, such as CLI/SNMP. + +###### Note + +As network refreshes happen in the months and years to come, vendor APIs should no doubt be tested and used as key decision-making criteria for purchasing network equipment (virtual and physical). Users should want to know how data is modeled by the equipment, what type of transport is used by the API, if the vendor offers any libraries or integrations to automation tools, and if open standards/protocols are being used. + +Generally speaking, network automation, like most types of automation, equates to doing things faster. While doing more faster is nice, reducing the time for deployments and configuration changes isn’t always a problem that needs solving for many IT organizations. + +Including speed, we’ll now take a look at a few of the reasons that IT organizations of all shapes and sizes should look at gradually adopting network automation. You should note that the same principles apply to other types of automation as well. + + +### Simplified Architectures + +Today, every network is a unique snowflake, and network engineers take pride in solving transport and application issues with one-off network changes that ultimately make the network not only harder to maintain and manage, but also harder to automate. + +Instead of thinking about network automation and management as a secondary or tertiary project, it needs to be included from the beginning as new architectures and designs are deployed. Which features work across vendors? Which extensions work across platforms? What type of API or automation tooling works when using particular network device platforms? When these questions get answered earlier on in the design process, the resulting architecture becomes simpler, repeatable, and easier to maintain _and_ automate, all with fewer vendor proprietary extensions enabled throughout the network. + +### Deterministic Outcomes + +In an enterprise organization, change review meetings take place to review upcoming changes on the network, the impact they have on external systems, and rollback plans. In a world where a human is touching the CLI to make those _upcoming changes_, the impact of typing the wrong command is catastrophic. Imagine a team with three, four, five, or 50 engineers. Every engineer may have his own way of making that particular _upcoming change_. And the ability to use a CLI or a GUI does not eliminate or reduce the chance of error during the control window for the change. + +Using proven and tested network automation helps achieve more predictable behavior and gives the executive team a better chance at achieving deterministic outcomes, moving one step closer to having the assurance that the task is going to get done right the first time without human error. + + +### Business Agility + +It goes without saying that network automation offers speed and agility not only for deploying changes, but also for retrieving data from network devices as fast as the business demands. Since the advent of server virtualization, server and virtualization admins have had the ability to deploy new applications almost instantaneously. And the faster applications are deployed, the more questions are raised as to why it takes so long to configure a VLAN, route, FW ACL, or load-balancing policy. + +By understanding the most common workflows within an organization and _why_ network changes are really required, the process to deploy modern automation tooling such as Ansible becomes much simpler. + +This chapter introduced some of the high-level points on why you should consider network automation. In the next section, we take a look at what Ansible is and continue to dive into different types of network automation that are relevant to IT organizations of all sizes. + + +### What Is Ansible? + +Ansible is one of the newer IT automation and configuration management platforms that exists in the open source world. It’s often compared to other tools such as Puppet, Chef, and SaltStack. Ansible emerged on the scene in 2012 as an open source project created by Michael DeHaan, who also created Cobbler and cocreated Func, both of which are very popular in the open source community. Less than 18 months after the Ansible open source project started, Ansible Inc. was formed and received $6 million in Series A funding. It became and is still the number one contributor to and supporter of the Ansible open source project. In October 2015, Red Hat acquired Ansible Inc. + +But, what exactly is Ansible? + +_Ansible is a super-simple automation platform that is agentless and extensible._ + +Let’s dive into this statement in a bit more detail and look at the attributes of Ansible that have helped it gain a significant amount of traction within the industry. + + +### Simple + +One of the most attractive attributes of Ansible is that you _DO NOT_ need any special coding skills in order to get started. All instructions, or tasks to be automated, are documented in a standard, human-readable data format that anyone can understand. It is not uncommon to have Ansible installed and automating tasks in under 30 minutes! + +For example, the following task from an Ansible playbook is used to ensure a VLAN exists on a Cisco Nexus switch: + +``` +- nxos_vlan: vlan_id=100 name=web_vlan +``` + +You can tell by looking at this almost exactly what it’s going to do without understanding or writing any code! + +###### Note + +The second half of this report covers the Ansible terminology (playbooks, plays, tasks, modules, etc.) in great detail. However, we have included a few brief examples in the meantime to convey key concepts when using Ansible for network automation. + +### Agentless + +If you look at other tools on the market, such as Puppet and Chef, you’ll learn that, by default, they require that each device you are automating have specialized software installed. This is _NOT_ the case with Ansible, and this is the major reason why Ansible is a great choice for networking automation. + +It’s well understood that IT automation tools, including Puppet, Chef, CFEngine, SaltStack, and Ansible, were initially built to manage and automate the configuration of Linux hosts to increase the pace at which applications are deployed. Because Linux systems were being automated, getting agents installed was never a technical hurdle to overcome. If anything, it just delayed the setup, since now _N_ number of hosts (the hosts you want to automate) needed to have software deployed on them. + +On top of that, when agents are used, there is additional complexity required for DNS and NTP configuration. These are services that most environments do have already, but when you need to get something up fairly quick or simply want to see what it can do from a test perspective, it could significantly delay the overall setup and installation process. + +Since this report is meant to cover Ansible for network automation, it’s worth pointing out that having Ansible as an agentless platform is even more compelling to network admins than to sysadmins. Why is this? + +It’s more compelling for network admins because as mentioned, Linux operating systems are open, and anything can be installed on them. For networking, this is definitely not the case, although it is gradually changing. If we take the most widely deployed network operating system, Cisco IOS, as just one example and ask the question, _"Can third-party software be installed on IOS based platforms?"_ it shouldn’t come as a surprise that the answer is _NO_. + +For the last 20+ years, nearly all network operating systems have been closed and vertically integrated with the underlying network hardware. Because it’s not so easy to load an agent on a network device (router, switch, load balancer, firewall, etc.) without vendor support, having an automation platform like Ansible that was built from the ground up to be agentless and extensible is just what the doctor ordered for the network industry. We can finally start eliminating manual interactions with the network with ease! + +### Extensible + +Ansible is also extremely extensible. As open source and code start to play a larger role in the network industry, having platforms that are extensible is a must. This means that if the vendor or community doesn’t provide a particular feature or function, the open source community, end user, customer, consultant, or anyone else can _extend_ Ansible to enable a given set of functionality. In the past, the network vendor or tool vendor was on the hook to provide the new plug-ins and integrations. Imagine using an automation platform like Ansible, and your network vendor of choice releases a new feature that you _really_ need automated. While the network vendor or Ansible could in theory release the new plug-in to automate that particular feature, the great thing is, anyone from your internal engineers to your value-added reseller (VARs) or consultant could now provide these integrations. + +It is a fact that Ansible is extremely extensible because as stated, Ansible was initially built to automate applications and systems. It is because of Ansible’s extensibility that Ansible integrations have been written for network vendors, including but not limited to Cisco, Arista, Juniper, F5, HP, A10, Cumulus, and Palo Alto Networks. + + +### Why Ansible for Network Automation? + +We’ve taken a brief look at what Ansible is and also some of the benefits of network automation, but why should Ansible be used for network automation? + +In full transparency, many of the reasons already stated are what make Ansible such as great platform for automating application deployments. However, we’ll take this a step further now, getting even more focused on networking, and continue to outline a few other key points to be aware of. + + +### Agentless + +The importance of an agentless architecture cannot be stressed enough when it comes to network automation, especially as it pertains to automating existing devices. If we take a look at all devices currently installed at various parts of the network, from the DMZ and campus, to the branch and data center, the lion’s share of devices do _NOT_ have a modern device API. While having an API makes things so much simpler from an automation perspective, an agentless platform like Ansible makes it possible to automate and manage those _legacy_ _(traditional)_ devices, for example, _CLI-based devices_, making it a tool that can be used in any network environment. + +###### Note + +If CLI-only devices are integrated with Ansible, the mechanisms as to how the devices are accessed for read-only and read-write operations occur through protocols such as telnet, SSH, and SNMP. + +As standalone network devices like routers, switches, and firewalls continue to add support for APIs, SDN solutions are also emerging. The one common theme with SDN solutions is that they all offer a single point of integration and policy management, usually in the form of an SDN controller. This is true for solutions such as Cisco ACI, VMware NSX, Big Switch Big Cloud Fabric, and Juniper Contrail, as well as many of the other SDN offerings from companies such as Nuage, Plexxi, Plumgrid, Midokura, and Viptela. This even includes open source controllers such as OpenDaylight. + +These solutions all simplify the management of networks, as they allow an administrator to start to migrate from box-by-box management to network-wide, single-system management. While this is a great step in the right direction, these solutions still don’t eliminate the risks for human error during change windows. For example, rather than configure _N_ switches, you may need to configure a single GUI that could take just as long in order to make the required configuration change—it may even be more complex, because after all, who prefers a GUI _over_ a CLI! Additionally, you may possibly have different types of SDN solutions deployed per application, network, region, or data center. + +The need to automate networks, for configuration management, monitoring, and data collection, does not go away as the industry begins migrating to controller-based network architectures. + +As most software-defined networks are deployed with a controller, nearly all controllers expose a modern REST API. And because Ansible has an agentless architecture, it makes it extremely simple to automate not only legacy devices that may not have an API, but also software-defined networking solutions via REST APIs, all without requiring any additional software (agents) on the endpoints. The net result is being able to automate any type of device using Ansible with or without an API. + + +### Free and Open Source Software (FOSS) + +Being that Ansible is open source with all code publicly accessible on GitHub, it is absolutely free to get started using Ansible. It can literally be installed and providing value to network engineers in minutes. Ansible, the open source project, or Ansible Inc., do not require any meetings with sales reps before they hand over software either. That is stating the obvious, since it’s true for all open source projects, but being that the use of open source, community-driven software within the network industry is fairly new and gradually increasing, we wanted to explicitly make this point. + +It is also worth stating that Ansible, Inc. is indeed a company and needs to make money somehow, right? While Ansible is open source, it also has an enterprise product called Ansible Tower that adds features such as role-based access control (RBAC), reporting, web UI, REST APIs, multi-tenancy, and much more, which is usually a nice fit for enterprises looking to deploy Ansible. And the best part is that even Ansible Tower is _FREE_ for up to 10 devices—so, at least you can get a taste of Tower to see if it can benefit your organization without spending a dime and sitting in countless sales meetings. + + +### Extensible + +We stated earlier that Ansible was primarily built as an automation platform for deploying Linux applications, although it has expanded to Windows since the early days. The point is that the Ansible open source project did not have the goal of automating network infrastructure. The truth is that the more the Ansible community understood how flexible and extensible the underlying Ansible architecture was, the easier it became to _extend_ Ansible for their automation needs, which included networking. Over the past two years, there have been a number of Ansible integrations developed, many by industry independents such as Matt Oswalt, Jason Edelman, Kirk Byers, Elisa Jasinska, David Barroso, Michael Ben-Ami, Patrick Ogenstad, and Gabriele Gerbino, as well as by leading networking network vendors such as Arista, Juniper, Cumulus, Cisco, F5, and Palo Alto Networks. + + +### Integrating into Existing DevOps Workflows + +Ansible is used for application deployments within IT organizations. It’s used by operations teams that need to manage the deployment, monitoring, and management of various types of applications. By integrating Ansible with the network infrastructure, it expands what is possible when new applications are turned up or migrated. Rather than have to wait for a new top of rack (TOR) switch to be turned up, a VLAN to be added, or interface speed/duplex to be checked, all of these network-centric tasks can be automated and integrated into existing workflows that already exist within the IT organization. + + +### Idempotency + +The term _idempotency_ (pronounced item-potency) is used often in the world of software development, especially when working with REST APIs, as well as in the world of _DevOps_ automation and configuration management frameworks, including Ansible. One of Ansible’s beliefs is that all Ansible modules (integrations) should be idempotent. Okay, so what does it mean for a module to be idempotent? After all, this is a new term for most network engineers. + +The answer is simple. Being idempotent allows the defined task to run one time or a thousand times without having an adverse effect on the target system, only ever making the change once. In other words, if a change is required to get the system into its desired state, the change is made; and if the device is already in its desired state, no change is made. This is unlike most traditional custom scripts and the copy and pasting of CLI commands into a terminal window. When the same command or script is executed repeatedly on the same system, errors are (sometimes) raised. Ever paste a command set into a router and get some type of error that invalidates the rest of your configuration? Was that fun? + +Another example is if you have a text file or a script that configures 10 VLANs, the same commands are then entered 10 times _EVERY_ time the script is run. If an idempotent Ansible module is used, the existing configuration is gathered first from the network device, and each new VLAN being configured is checked against the current configuration. Only if the new VLAN needs to be added (or changed—VLAN name, as an example) is a change or command actually pushed to the device. + +As the technologies become more complex, the value of idempotency only increases because with idempotency, you shouldn’t care about the _existing_ state of the network device being modified, only the _desired_ state that you are trying to achieve from a network configuration and policy perspective. + + +### Network-Wide and Ad Hoc Changes + +One of the problems solved with configuration management tools is configuration drift (when a device’s desired configuration gradually drifts, or changes, over time due to manual change and/or having multiple disparate tools being used in an environment)—in fact, this is where tools like Puppet and Chef got started. Agents _phone home_ to the head-end server, validate its configuration, and if a change is required, the change is made. The approach is simple enough. What if an outage occurs and you need to troubleshoot though? You usually bypass the management system, go direct to a device, find the fix, and quickly leave for the day, right? Sure enough, at the next time interval when the agent phones back home, the change made to fix the problem is overwritten (based on how the _master/head-end server_ is configured). One-off changes should always be limited in highly automated environments, but tools that still allow for them are greatly valuable. As you guessed, one of these tools is Ansible. + +Because Ansible is agentless, there is not a default push or pull to prevent configuration drift. The tasks to automate are defined in what is called an Ansible playbook. When using Ansible, it is up to the user to run the playbook. If the playbook is to be executed at a given time interval and you’re not using Ansible Tower, you will definitely know how often the tasks are run; if you are just using the native Ansible command line from a terminal prompt, the playbook is run once and only once. + +Running a playbook once by default is attractive for network engineers. It is added peace of mind that changes made manually on the device are not going to be automatically overwritten. Additionally, the scope of devices that a playbook is executed against is easily changed when needed such that even if a single change needs to automate only a single device, Ansible can still be used. The _scope_ of devices is determined by what is called an Ansible inventory file; the inventory could have one device or a thousand devices. + +The following shows a sample inventory file with two groups defined and a total of six network devices: + +``` +[core-switches] +dc-core-1 +dc-core-2 + +[leaf-switches] +leaf1 +leaf2 +leaf3 +leaf4 +``` + +To automate all hosts, a snippet from your play definition in a playbook looks like this: + +``` +hosts: all +``` + +And to automate just one leaf switch, it looks like this: + +``` +hosts: leaf1 +``` + +And just the core switches: + +``` +hosts: core-switches +``` + +###### Note + +As stated previously, playbooks, plays, and inventories are covered in more detail later on this report. + +Being able to easily automate one device or _N_ devices makes Ansible a great choice for making those one-off changes when they are required. It’s also great for those changes that are network-wide: possibly for shutting down all interfaces of a given type, configuring interface descriptions, or adding VLANs to wiring closets across an enterprise campus network. + +### Network Task Automation with Ansible + +This report is gradually getting more technical in two areas. The first area is around the details and architecture of Ansible, and the second area is about exactly what types of tasks can be automated from a network perspective with Ansible. The latter is what we’ll take a look at in this chapter. + +Automation is commonly equated with speed, and considering that some network tasks don’t require speed, it’s easy to see why some IT teams don’t see the value in automation. VLAN configuration is a great example because you may be thinking, "How _fast_ does a VLAN really need to get created? Just how many VLANs are being added on a daily basis? Do _I_ really need automation?” + +In this section, we are going to focus on several other tasks where automation makes sense such as device provisioning, data collection, reporting, and compliance. But remember, as we stated earlier, automation is much more than speed and agility as it’s offering you, your team, and your business more predictable and more deterministic outcomes. + +### Device Provisioning + +One of the easiest and fastest ways to get started using Ansible for network automation is creating device configuration files that are used for initial device provisioning and pushing them to network devices. + +If we take this process and break it down into two steps, the first step is creating the configuration file, and the second is pushing the configuration onto the device. + +First, we need to decouple the _inputs_ from the underlying vendor proprietary syntax (CLI) of the config file. This means we’ll have separate files with values for the configuration parameters such as VLANs, domain information, interfaces, routing, and everything else, and then, of course, a configuration template file(s). For this example, this is our standard golden template that’s used for all devices getting deployed. Ansible helps bridge the gap between rendering the inputs and values with the configuration template. In less than a few seconds, Ansible can generate hundreds of configuration files predictably and reliably. + +Let’s take a quick look at an example of taking a current configuration and decomposing it into a template and separate variables (inputs) file. + +Here is an example of a configuration file snippet: + +``` +hostname leaf1 +ip domain-name ntc.com +! +vlan 10 + name web +! +vlan 20 + name app +! +vlan 30 + name db +! +vlan 40 + name test +! +vlan 50 + name misc +``` + +If we extract the input values, this file is transformed into a template. + +###### Note + +Ansible uses the Python-based Jinja2 templating language, thus the template called _leaf.j2_ is a Jinja2 template. + +Note that in the following example the _double curly braces_ denote a variable. + +The resulting template looks like this and is given the filename _leaf.j2_: + +``` +! +hostname {{ inventory_hostname }} +ip domain-name {{ domain_name }} +! +! +{% for vlan in vlans %} +vlan {{ vlan.id }} + name {{ vlan.name }} +{% endfor %} +! +``` + +Since the double curly braces denote variables, and we see those values are not in the template, they need to be stored somewhere. They get stored in a variables file. A matching variables file for the previously shown template looks like this: + +``` +--- +hostname: leaf1 +domain_name: ntc.com +vlans: + - { id: 10, name: web } + - { id: 20, name: app } + - { id: 30, name: db } + - { id: 40, name: test } + - { id: 50, name: misc } +``` + +This means if the team that controls VLANs wants to add a VLAN to the network devices, no problem. Have them change it in the variables file and regenerate a new config file using the Ansible module called `template`. This whole process is idempotent too; only if there is a change to the template or values being entered will a new configuration file be generated. + +Once the configuration is generated, it needs to be _pushed_ to the network device. One such method to push configuration files to network devices is using the open source Ansible module called `napalm_install_config`. + +The next example is a sample playbook to _build and push_ a configuration to network devices. Again, this playbook uses the `template` module to build the configuration files and the `napalm_install_config` to push them and activate them as the new running configurations on the devices. + +Even though every line isn’t reviewed in the example, you can still make out what is actually happening. + +###### Note + +The following playbook introduces new concepts such as the built-in variable `inventory_hostname`. These concepts are covered in [Ansible Terminology and Getting Started][1]. + +``` +--- + + - name: BUILD AND PUSH NETWORK CONFIGURATION FILES + hosts: leaves + connection: local + gather_facts: no + + tasks: + - name: BUILD CONFIGS + template: + src=templates/leaf.j2 + dest=configs/{{inventory_hostname }}.conf + + - name: PUSH CONFIGS + napalm_install_config: + hostname={{ inventory_hostname }} + username={{ un }} + password={{ pwd }} + dev_os={{ os }} + config_file=configs/{{ inventory_hostname }}.conf + commit_changes=1 + replace_config=0 +``` + +This two-step process is the simplest way to get started with network automation using Ansible. You simply template your configs, build config files, and push them to the network device—otherwise known as the _BUILD and PUSH_ method. + +###### Note + +Another example like this is reviewed in much more detail in [Ansible Network Integrations][2]. + + +### Data Collection and Monitoring + +Monitoring tools typically use SNMP—these tools poll certain management information bases (MIBs) and return data to the monitoring tool. Based on the data being returned, it may be more or less than you actually need. What if interface stats are being polled? You are likely getting back every counter that is displayed in a _show interface_ command. What if you only need _interface resets_ and wish to see these resets correlated to the interfaces that have CDP/LLDP neighbors on them? Of course, this is possible with current technology; it could be you are running multiple show commands and parsing the output manually, or you’re using an SNMP-based tool but going between tabs in the GUI trying to find the data you actually need. How does Ansible help with this? + +Being that Ansible is totally open and extensible, it’s possible to collect and monitor the exact counters or values needed. This may require some up-front custom work but is totally worth it in the end, because the data being gathered is what you need, not what the vendor is providing you. Ansible also provides intuitive ways to perform certain tasks conditionally, which means based on data being returned, you can perform subsequent tasks, which may be to collect more data or to make a configuration change. + +Network devices have _A LOT_ of static and ephemeral data buried inside, and Ansible helps extract the bits you need. + +You can even use Ansible modules that use SNMP behind the scenes, such as a module called `snmp_device_version`. This is another open source module that exists within the community: + +``` + - name: GET SNMP DATA + snmp_device_version: + host=spine + community=public + version=2c +``` + +Running the preceding task returns great information about a device and adds some level of discovery capabilities to Ansible. For example, that task returns the following data: + +``` +{"ansible_facts": {"ansible_device_os": "nxos", "ansible_device_vendor": "cisco", "ansible_device_version": "7.0(3)I2(1)"}, "changed": false} +``` + +You can now determine what type of device something is without knowing up front. All you need to know is the read-only community string of the device. + + +### Migrations + +Migrating from one platform to the next is never an easy task. This may be from the same vendor or from different vendors. Vendors may offer a script or a tool to help with migrations. Ansible can be used to build out configuration templates for all types of network devices and operating systems in such a way that you could generate a configuration file for all vendors given a defined and common set of inputs (common data model). Of course, if there are vendor proprietary extensions, they’ll need to be accounted for, too. Having this type of flexibility helps with not only migrations, but also disaster recovery (DR), as it’s very common to have different switch models in the production and DR data centers, maybe even different vendors. + + +### Configuration Management + +As stated, configuration management is the most common type of automation. What Ansible allows you to do fairly easily is create _roles_ to streamline the consumption of task-based automation. From a high level, a role is a logical grouping of reusable tasks that are automated against a particular group of devices. Another way to think about roles is to think about workflows. First and foremost, workflows and processes need to be understood before automation is going to start adding value. It’s always important to start small and expand from there. + +For example, a set of tasks that automate the configuration of routers and switches is very common and is a great place to start. But where do the IP addresses come from that are configured on network devices? Maybe an IP address management solution? Once the IP addresses are allocated for a given function and deployed, does DNS need to be updated too? Do DHCP scopes need to be created? + +Can you see how the workflow can start small and gradually expand across different IT systems? As the workflow continues to expand, so would the role. + + +### Compliance + +As with many forms of automation, making configuration changes with any type of automation tool is seen as a risk. While making manual changes could arguably be riskier, as you’ve read and may have experienced firsthand, Ansible has capabilities to automate data collection, monitoring, and configuration building, which are all "read-only" and "low risk" actions. One _low risk_ use case that can use the data being gathered is configuration compliance checks and configuration validation. Does the deployed configuration meet security requirements? Are the required networks configured? Is protocol XYZ disabled? Since each module, or integration, with Ansible returns data, it is quite simple to _assert_ that something is _TRUE_ or _FALSE_. And again, based on _it_ being _TRUE_ or _FALSE_, it’s up to you to determine what happens next—maybe it just gets logged, or maybe a complex operation is performed. + +### Reporting + +We now understand that Ansible can also be used to collect data and perform compliance checks. The data being returned and collected from the device by way of Ansible is up for grabs in terms of what you want to do with it. Maybe the data being returned becomes inputs to other tasks, or maybe you just want to create reports. Being that reports are generated from templates combined with the actual important data to be inserted into the template, the process to create and use reporting templates is the same process used to create configuration templates. + +From a reporting perspective, these templates may be flat text files, markdown files that are viewed on GitHub, HTML files that get dynamically placed on a web server, and the list goes on. The user has the power to create the exact type of report she wishes, inserting the exact data she needs to be part of that report. + +It is powerful to create reports not only for executive management, but also for the ops engineers, since there are usually different metrics both teams need. + + +### How Ansible Works + +After looking at what Ansible can offer from a network automation perspective, we’ll now take a look at how Ansible works. You will learn about the overall communication flow from an Ansible control host to the nodes that are being automated. First, we review how Ansible works _out of the box_, and we then take a look at how Ansible, and more specifically Ansible _modules_, work when network devices are being automated. + +### Out of the Box + +By now, you should understand that Ansible is an automation platform. In fact, it is a lightweight automation platform that is installed on a single server or on every administrator’s laptop within an organization. You decide. Ansible is easily installed using utilities such as pip, apt, and yum on Linux-based machines. + +###### Note + +The machine that Ansible is installed on is referred to as the _control host_ through the remainder of this report. + +The control host will perform all automation tasks that are defined in an Ansible playbook (don’t worry; we’ll cover playbooks and other Ansible terms soon enough). The important piece for now is to understand that a playbook is simply a set of automation tasks and instructions that gets executed on a given number of hosts. + +When a playbook is created, you also need to define which hosts you want to automate. The mapping between the playbook and the hosts to automate happens by using what is known as an Ansible inventory file. This was already shown in an earlier example, but here is another sample inventory file showing two groups: `cisco`and `arista`: + +``` +[cisco] +nyc1.acme.com +nyc2.acme.com + +[arista] +sfo1.acme.com +sfo2.acme.com +``` + +###### Note + +You can also use IP addresses within the inventory file, instead of hostnames. For these examples, the hostnames were resolvable via DNS. + +As you can see, the Ansible inventory file is a text file that lists hosts and groups of hosts. You then reference a specific host or a group from within the playbook, thus dictating which hosts get automated for a given play and playbook. This is shown in the following two examples. + +The first example shows what it looks like if you wanted to automate all hosts within the `cisco` group, and the second example shows how to automate just the _nyc1.acme.com_ host: + +``` +--- + + - name: TEST PLAYBOOK + hosts: cisco + + tasks: + - TASKS YOU WANT TO AUTOMATE +``` + +``` +--- + + - name: TEST PLAYBOOK + hosts: nyc1.acme.com + + tasks: + - TASKS YOU WANT TO AUTOMATE +``` + +Now that the basics of inventory files are understood, we can take a look at how Ansible (the control host) communicates with devices _out of the box_ and how tasks are automated on Linux endpoints. This is an important concept to understand, as this is usually different when network devices are being automated. + +There are two main requirements for Ansible to work out of the box to automate Linux-based systems. These requirements are SSH and Python. + +First, the endpoints must support SSH for transport, since Ansible uses SSH to connect to each target node. Because Ansible supports a pluggable connection architecture, there are also various plug-ins available for different types of SSH implementations. + +The second requirement is how Ansible gets around the need to require an _agent_ to preexist on the target node. While Ansible does not require a software agent, it does require an onboard Python execution engine. This execution engine is used to execute Python code that is transmitted from the Ansible control host to the target node being automated. + +If we elaborate on this out of the box workflow, it is broken down as follows: + +1. When an Ansible play is executed, the control host connects to the Linux-based target node using SSH. + +2. For each task, that is, Ansible module being executed within the play, Python code is transmitted over SSH and executed directly on the remote system. + +3. Each Ansible module upon execution on the remote system returns JSON data to the control host. This data includes information such as if the configuration changed, if the task passed/failed, and other module-specific data. + +4. The JSON data returned back to Ansible can then be used to generate reports using templates or as inputs to subsequent modules. + +5. Repeat step 3 for each task that exists within the play. + +6. Repeat step 1 for each play within the playbook. + +Shouldn’t this mean that network devices should work out of the box with Ansible because they also support SSH? It is true that network devices do support SSH, but it is the first requirement combined with the second one that limits the functionality possible for network devices. + +To start, most network devices do not support Python, so it makes using the default Ansible connection mechanism process a non-starter. That said, over the past few years, vendors have added Python support on several different device platforms. However, most of these platforms still lack the integration needed to allow Ansible to get direct access to a Linux shell over SSH with the proper permissions to copy over the required code, create temp directories and files, and execute the code on box. While all the parts are there for Ansible to work natively with SSH/Python _and_ Linux-based network devices, it still requires network vendors to open their systems more than they already have. + +###### Note + +It is worth noting that Arista does offer native integration because it is able to drop SSH users directly into a Linux shell with access to a Python execution engine, which in turn does allow Ansible to use its default connection mechanism. Because we called out Arista, we need to also highlight Cumulus as working with Ansible’s default connection mechanism, too. This is because Cumulus Linux is native Linux, and there isn’t a need to use a vendor API for the automation of the Cumulus Linux OS. + +### Ansible Network Integrations + +The previous section covered the way Ansible works by default. We looked at how Ansible sets up a connection to a device at the beginning of a _play_, executes tasks by copying Python code to the devices, executes the code, and then returns results back to the Ansible control host. + +In this section, we’ll take a look at what this process is when automating network devices with Ansible. As already covered, Ansible has a pluggable connection architecture. For _most_ network integrations, the `connection` parameter is set to `local`. The most common place to make the connection type local is within the playbook, as shown in the following example: + +``` +--- + + - name: TEST PLAYBOOK + hosts: cisco + connection: local + + tasks: + - TASKS YOU WANT TO AUTOMATE +``` + +Notice how within the play definition, this example added the `connection` parameter as compared to the examples in the previous section. + +This tells Ansible not to connect to the target device via SSH and to just connect to the local machine running the playbook. Basically, this delegates the connection responsibility to the actual Ansible modules being used within the _tasks_ section of the playbook. Delegating power for each type of module allows the modules to connect to the device in whatever fashion necessary; this could be NETCONF for Juniper and HP Comware7, eAPI for Arista, NX-API for Cisco Nexus, or even SNMP for traditional/legacy-based systems that don’t have a programmatic API. + +###### Note + +Network integrations in Ansible come in the form of Ansible modules. While we continue to whet your appetite using terminology such as playbooks, plays, tasks, and modules to convey key concepts, each of these terms are finally covered in greater detail in [Ansible Terminology and Getting Started][3] and [Hands-on Look at Using Ansible for Network Automation][4]. + +Let’s take a look at another sample playbook: + +``` +--- + + - name: TEST PLAYBOOK + hosts: cisco + connection: local + + tasks: + - nxos_vlan: vlan_id=10 name=WEB_VLAN +``` + +If you notice, this playbook now includes a task, and this task uses the `nxos_vlan` module. The `nxos_vlan` module is just a Python file, and it is in this file where the connection to the Cisco NX-OS device is made using NX-API. However, the connection could have been set up using any other device API, and this is how vendors and users like us are able to build our own integrations. Integrations (modules) are typically done on a per-feature basis, although as you’ve already seen with modules like `napalm_install_config`, they can be used to _push_ a full configuration file, too. + +One of the major differences is that with the default connection mechanism, Ansible launches a persistent SSH connection to the device, and this connection persists for a given play. When the connection setup and teardown occurs within the module, as with many network modules that use `connection=local`, Ansible is logging in/out of the device on _every_ task versus this happening on the play level. + +And in traditional Ansible fashion, each network module returns JSON data. The only difference is the massaging of this data is happening locally on the Ansible control host versus on the target node. The data returned back to the playbook varies per vendor and type of module, but as an example, many of the Cisco NX-OS modules return back existing state, proposed state, and end state, as well as the commands (if any) that are being sent to the device. + +As you get started using Ansible for network automation, it is important to remember that setting the connection parameter to local is taking Ansible out of the connection setup/teardown process and leaving that up to the module. This is why modules supported for different types of vendor platforms will have different ways of communicating with the devices. + + +### Ansible Terminology and Getting Started + +This chapter walks through many of the terms and key concepts that have been gradually introduced already in this report. These are terms such as _inventory file_, _playbook_, _play_, _tasks_, and _modules_. We also review a few other concepts that are helpful to be aware of when getting started with Ansible for network automation. + +Please reference the following sample inventory file and playbook throughout this section, as they are continuously used in the examples that follow to convey what each Ansible term means. + +_Sample inventory_: + +``` +# sample inventory file +# filename inventory + +[all:vars] +user=admin +pwd=admin + +[tor] +rack1-tor1 vendor=nxos +rack1-tor2 vendor=nxos +rack2-tor1 vendor=arista +rack2-tor2 vendor=arista + +[core] +core1 +core2 +``` + +_Sample playbook_: + +``` +--- +# sample playbook +# filename site.yml + + - name: PLAY 1 - Top of Rack (TOR) Switches + hosts: tor + connection: local + + tasks: + - name: ENSURE VLAN 10 EXISTS ON CISCO TOR SWITCHES + nxos_vlan: + vlan_id=10 + name=WEB_VLAN + host={{ inventory_hostname }} + username=admin + password=admin + when: vendor == "nxos" + + - name: ENSURE VLAN 10 EXISTS ON ARISTA TOR SWITCHES + eos_vlan: + vlanid=10 + name=WEB_VLAN + host={{ inventory_hostname }} + username={{ user }} + password={{ pwd }} + when: vendor == "arista" + + - name: PLAY 2 - Core (TOR) Switches + hosts: core + connection: local + + tasks: + - name: ENSURE VLANS EXIST IN CORE + nxos_vlan: + vlan_id={{ item }} + host={{ inventory_hostname }} + username={{ user }} + password={{ pwd }} + with_items: + - 10 + - 20 + - 30 + - 40 + - 50 +``` + +### Inventory File + +Using an inventory file, such as the preceding one, enables us to automate tasks for specific hosts and groups of hosts by referencing the proper host/group using the `hosts` parameter that exists at the top section of each play. + +It is also possible to store variables within an inventory file. This is shown in the example. If the variable is on the same line as a host, it is a host-specific variable. If the variables are defined within brackets such as `[all:vars]`, it means that the variables are in scope for the group `all`, which is a default group that includes _all_ hosts in the inventory file. + +###### Note + +Inventory files are the quickest way to get started with Ansible, but should you already have a source of truth for network devices such as a network management tool or CMDB, it is possible to create and use a dynamic inventory script rather than a static inventory file. + +### Playbook + +The playbook is the top-level object that is executed to automate network devices. In our example, this is the file _site.yml_, as depicted in the preceding example. A playbook uses YAML to define the set of tasks to automate, and each playbook is comprised of one or more plays. This is analogous to a football playbook. Like in football, teams have playbooks made up of plays, and Ansible playbooks are made up of plays, too. + +###### Note + +YAML is a data format that is supported by all programming languages. YAML is itself a superset of JSON, and it’s quite easy to recognize YAML files, as they always start with three dashes (hyphens), `---`. + + +### Play + +One or more plays can exist within an Ansible playbook. In the preceding example, there are two plays within the playbook. Each starts with a _header_ section where play-specific parameters are defined. + +The two plays from that example have the following parameters defined: + +`name` + +The text `PLAY 1 - Top of Rack (TOR) Switches` is arbitrary and is displayed when the playbook runs to improve readability during playbook execution and reporting. This is an optional parameter. + +`hosts` + +As covered previously, this is the host or group of hosts that are automated in this particular play. This is a required parameter. + +`connection` + +As covered previously, this is the type of connection mechanism used for the play. This is an optional parameter, but is commonly set to `local` for network automation plays. + + + +Each play is comprised of one or more tasks. + + + +### Tasks + +Tasks represent what is automated in a declarative manner without worrying about the underlying syntax or "how" the operation is performed. + +In our example, the first play has two tasks. Each task ensures VLAN 10 exists. The first task does this for Cisco Nexus devices, and the second task does this for Arista devices: + +``` +tasks: + - name: ENSURE VLAN 10 EXISTS ON CISCO TOR SWITCHES + nxos_vlan: + vlan_id=10 + name=WEB_VLAN + host={{ inventory_hostname }} + username=admin + password=admin + when: vendor == "nxos" +``` + +Tasks can also use the `name` parameter just like plays can. As with plays, the text is arbitrary and is displayed when the playbook runs to improve readability during playbook execution and reporting. It is an optional parameter for each task. + +The next line in the example task starts with `nxos_vlan`. This tell us that this task will execute the Ansible module called `nxos_vlan`. + +We’ll now dig deeper into modules. + + + +### Modules + +It is critical to understand modules within Ansible. While any programming language can be used to write Ansible modules as long as they return JSON key-value pairs, they are almost always written in Python. In our example, we see two modules being executed: `nxos_vlan` and `eos_vlan`. The modules are both Python files; and in fact, while you can’t tell from looking at the playbook, the real filenames are _eos_vlan.py_ and _nxos_vlan.py_, respectively. + +Let’s look at the first task in the first play from the preceding example: + +``` + - name: ENSURE VLAN 10 EXISTS ON CISCO TOR SWITCHES + nxos_vlan: + vlan_id=10 + name=WEB_VLAN + host={{ inventory_hostname }} + username=admin + password=admin + when: vendor == "nxos" +``` + +This task executes `nxos_vlan`, which is a module that automates VLAN configuration. In order to use modules, including this one, you need to specify the desired state or configuration policy you want the device to have. This example states: VLAN 10 should be configured with the name `WEB_VLAN`, and it should exist on each switch being automated. We can see this easily with the `vlan_id`and `name` parameters. There are three other parameters being passed into the module as well. They are `host`, `username`, and `password`: + +`host` + +This is the hostname (or IP address) of the device being automated. Since the hosts we want to automate are already defined in the inventory file, we can use the built-in Ansible variable `inventory_hostname`. This variable is equal to what is in the inventory file. For example, on the first iteration, the host in the inventory file is `rack1-tor1`, and on the second iteration, it is `rack1-tor2`. These names are passed into the module and then within the module, a DNS lookup occurs on each name to resolve it to an IP address. Then the communication begins with the device. + +`username` + +Username used to log in to the switch. + + +`password` + +Password used to log in to the switch. + + +The last piece to cover here is the use of the `when` statement. This is how Ansible performs conditional tasks within a play. As we know, there are multiple devices and types of devices that exist within the `tor` group for this play. Using `when` offers an option to be more selective based on any criteria. Here we are only automating Cisco devices because we are using the `nxos_vlan` module in this task, while in the next task, we are automating only the Arista devices because the `eos_vlan` module is used. + +###### Note + +This isn’t the only way to differentiate between devices. This is being shown to illustrate the use of `when` and that variables can be defined within the inventory file. + +Defining variables in an inventory file is great for getting started, but as you continue to use Ansible, you’ll want to use YAML-based variables files to help with scale, versioning, and minimizing change to a given file. This will also simplify and improve readability for the inventory file and each variables file used. An example of a variables file was given earlier when the build/push method of device provisioning was covered. + +Here are a few other points to understand about the tasks in the last example: + +* Play 1 task 1 shows the `username` and `password` hardcoded as parameters being passed into the specific module (`nxos_vlan`). + +* Play 1 task 1 and play 2 passed variables into the module instead of hardcoding them. This masks the `username` and `password`parameters, but it’s worth noting that these variables are being pulled from the inventory file (for this example). + +* Play 1 uses a _horizontal_ key=value syntax for the parameters being passed into the modules, while play 2 uses the vertical key=value syntax. Both work just fine. You can also use vertical YAML syntax with "key: value" syntax. + +* The last task also introduces how to use a _loop_ within Ansible. This is by using `with_items` and is analogous to a for loop. That particular task is looping through five VLANs to ensure they all exist on the switch. Note: it’s also possible to store these VLANs in an external YAML variables file as well. Also note that the alternative to not using `with_items` would be to have one task per VLAN—and that just wouldn’t scale! + + +### Hands-on Look at Using Ansible for Network Automation + +In the previous chapter, a general overview of Ansible terminology was provided. This covered many of the specific Ansible terms, such as playbooks, plays, tasks, modules, and inventory files. This section will continue to provide working examples of using Ansible for network automation, but will provide more detail on working with modules to automate a few different types of devices. Examples will include automating devices from multiple vendors, including Cisco, Arista, Cumulus, and Juniper. + +The examples in this section assume the following: + +* Ansible is installed. + +* The proper APIs are enabled on the devices (NX-API, eAPI, NETCONF). + +* Users exist with the proper permissions on the system to make changes via the API. + +* All Ansible modules exist on the system and are in the library path. + +###### Note + +Setting the module and library path can be done within the _ansible.cfg_ file. You can also use the `-M` flag from the command line to change it when executing a playbook. + +The inventory used for the examples in this section is shown in the following section (with passwords removed and IP addresses changed). In this example, some hostnames are not FQDNs as they were in the previous examples. + + +### Inventory File + +``` +[cumulus] +cvx ansible_ssh_host=1.2.3.4 ansible_ssh_pass=PASSWORD + +[arista] +veos1 + +[cisco] +nx1 hostip=5.6.7.8 un=USERNAME pwd=PASSWORD + +[juniper] +vsrx hostip=9.10.11.12 un=USERNAME pwd=PASSWORD +``` + +###### Note + +Just in case you’re wondering at this point, Ansible does support functionality that allows you to store passwords in encrypted files. If you want to learn more about this feature, check out [Ansible Vault][5] in the docs on the Ansible website. + +This inventory file has four groups defined with a single host in each group. Let’s review each section in a little more detail: + +Cumulus + +The host `cvx` is a Cumulus Linux (CL) switch, and it is the only device in the `cumulus` group. Remember that CL is native Linux, so this means the default connection mechanism (SSH) is used to connect to and automate the CL switch. Because `cvx` is not defined in DNS or _/etc/hosts_, we’ll let Ansible know not to use the hostname defined in the inventory file, but rather the name/IP defined for `ansible_ssh_host`. The username to log in to the CL switch is defined in the playbook, but you can see that the password is being defined in the inventory file using the `ansible_ssh_pass` variable. + +Arista + +The host called `veos1` is an Arista switch running EOS. It is the only host that exists within the `arista` group. As you can see for Arista, there are no other parameters defined within the inventory file. This is because Arista uses a special configuration file for their devices. This file is called _.eapi.conf_ and for our example, it is stored in the home directory. Here is the conf file being used for this example to function properly: + +``` +[connection:veos1] +host: 2.4.3.4 +username: unadmin +password: pwadmin +``` + +This file contains all required information for Ansible (and the Arista Python library called _pyeapi_) to connect to the device using just the information as defined in the conf file. + +Cisco + +Just like with Cumulus and Arista, there is only one host (`nx1`) that exists within the `cisco` group. This is an NX-OS-based Cisco Nexus switch. Notice how there are three variables defined for `nx1`. They include `un` and `pwd`, which are accessed in the playbook and passed into the Cisco modules in order to connect to the device. In addition, there is a parameter called `hostip`. This is required because `nx1` is also not defined in DNS or configured in the _/etc/hosts_ file. + + +###### Note + +We could have named this parameter anything. If automating a native Linux device, `ansible_ssh_host` is used just like we saw with the Cumulus example (if the name as defined in the inventory is not resolvable). In this example, we could have still used `ansible_ssh_host`, but it is not a requirement, since we’ll be passing this variable as a parameter into Cisco modules, whereas `ansible_ssh_host` is automatically checked when using the default SSH connection mechanism. + +Juniper + +As with the previous three groups and hosts, there is a single host `vsrx` that is located within the `juniper` group. The setup within the inventory file is identical to that of Cisco’s as both are used the same exact way within the playbook. + + +### Playbook + +The next playbook has four different plays. Each play is built to automate a specific group of devices based on vendor type. Note that this is only one way to perform these tasks within a single playbook. There are other ways in which we could have used conditionals (`when` statement) or created Ansible roles (which is not covered in this report). + +Here is the example playbook: + +``` +--- + + - name: PLAY 1 - CISCO NXOS + hosts: cisco + connection: local + + tasks: + - name: ENSURE VLAN 100 exists on Cisco Nexus switches + nxos_vlan: + vlan_id=100 + name=web_vlan + host={{ hostip }} + username={{ un }} + password={{ pwd }} + + - name: PLAY 2 - ARISTA EOS + hosts: arista + connection: local + + tasks: + - name: ENSURE VLAN 100 exists on Arista switches + eos_vlan: + vlanid=100 + name=web_vlan + connection={{ inventory_hostname }} + + - name: PLAY 3 - CUMULUS + remote_user: cumulus + sudo: true + hosts: cumulus + + tasks: + - name: ENSURE 100.10.10.1 is configured on swp1 + cl_interface: name=swp1 ipv4=100.10.10.1/24 + + - name: restart networking without disruption + shell: ifreload -a + + - name: PLAY 4 - JUNIPER SRX changes + hosts: juniper + connection: local + + tasks: + - name: INSTALL JUNOS CONFIG + junos_install_config: + host={{ hostip }} + file=srx_demo.conf + user={{ un }} + passwd={{ pwd }} + logfile=deploysite.log + overwrite=yes + diffs_file=junpr.diff +``` + +You will notice the first two plays are very similar to what we already covered in the original Cisco and Arista example. The only difference is that each group being automated (`cisco` and `arista`) is defined in its own play, and this is in contrast to using the `when`conditional that was used earlier. + +There is no right way or wrong way to do this. It all depends on what information is known up front and what fits your environment and use cases best, but our intent is to show a few ways to do the same thing. + +The third play automates the configuration of interface `swp1` that exists on the Cumulus Linux switch. The first task within this play ensures that `swp1` is a Layer 3 interface and is configured with the IP address 100.10.10.1\. Because Cumulus Linux is native Linux, the networking service needs to be restarted for the changes to take effect. This could have also been done using Ansible handlers (out of the scope of this report). There is also an Ansible core module called `service` that could have been used, but that would disrupt networking on the switch; using `ifreload` restarts networking non-disruptively. + +Up until now in this section, we looked at Ansible modules focused on specific tasks such as configuring interfaces and VLANs. The fourth play uses another option. We’ll look at a module that _pushes_ a full configuration file and immediately activates it as the new running configuration. This is what we showed previously using `napalm_install_config`, but this example uses a Juniper-specific module called `junos_install_config`. + +This module `junos_install_config` accepts several parameters, as seen in the example. By now, you should understand what `user`, `passwd`, and `host` are used for. The other parameters are defined as follows: + +`file` + +This is the config file that is copied from the Ansible control host to the Juniper device. + +`logfile` + +This is optional, but if specified, it is used to store messages generated while executing the module. + +`overwrite` + +When set to yes/true, the complete configuration is replaced with the file being sent (default is false). + +`diffs_file` + +This is optional, but if specified, will store the diffs generated when applying the configuration. An example of the diff generated when just changing the hostname but still sending a complete config file is shown next: + +``` +# filename: junpr.diff +[edit system] +- host-name vsrx; ++ host-name vsrx-demo; +``` + + +That covers the detailed overview of the playbook. Let’s take a look at what happens when the playbook is executed: + +###### Note + +Note: the `-i` flag is used to specify the inventory file to use. The `ANSIBLE_HOSTS`environment variable can also be set rather than using the flag each time a playbook is executed. + +``` +ntc@ntc:~/ansible/multivendor$ ansible-playbook -i inventory demo.yml + +PLAY [PLAY 1 - CISCO NXOS] ************************************************* + +TASK: [ENSURE VLAN 100 exists on Cisco Nexus switches] ********************* +changed: [nx1] + +PLAY [PLAY 2 - ARISTA EOS] ************************************************* + +TASK: [ENSURE VLAN 100 exists on Arista switches] ************************** +changed: [veos1] + +PLAY [PLAY 3 - CUMULUS] **************************************************** + +GATHERING FACTS ************************************************************ +ok: [cvx] + +TASK: [ENSURE 100.10.10.1 is configured on swp1] *************************** +changed: [cvx] + +TASK: [restart networking without disruption] ****************************** +changed: [cvx] + +PLAY [PLAY 4 - JUNIPER SRX changes] **************************************** + +TASK: [INSTALL JUNOS CONFIG] *********************************************** +changed: [vsrx] + +PLAY RECAP *************************************************************** + to retry, use: --limit @/home/ansible/demo.retry + +cvx : ok=3 changed=2 unreachable=0 failed=0 +nx1 : ok=1 changed=1 unreachable=0 failed=0 +veos1 : ok=1 changed=1 unreachable=0 failed=0 +vsrx : ok=1 changed=1 unreachable=0 failed=0 +``` + +You can see that each task completes successfully; and if you are on the terminal, you’ll see that each changed task was displayed with an amber color. + +Let’s run this playbook again. By running it again, we can verify that all of the modules are _idempotent_; and when doing this, we see that NO changes are made to the devices and everything is green: + +``` +PLAY [PLAY 1 - CISCO NXOS] *************************************************** + +TASK: [ENSURE VLAN 100 exists on Cisco Nexus switches] *********************** +ok: [nx1] + +PLAY [PLAY 2 - ARISTA EOS] *************************************************** + +TASK: [ENSURE VLAN 100 exists on Arista switches] **************************** +ok: [veos1] + +PLAY [PLAY 3 - CUMULUS] ****************************************************** + +GATHERING FACTS ************************************************************** +ok: [cvx] + +TASK: [ENSURE 100.10.10.1 is configured on swp1] ***************************** +ok: [cvx] + +TASK: [restart networking without disruption] ******************************** +skipping: [cvx] + +PLAY [PLAY 4 - JUNIPER SRX changes] ****************************************** + +TASK: [INSTALL JUNOS CONFIG] ************************************************* +ok: [vsrx] + +PLAY RECAP *************************************************************** +cvx : ok=2 changed=0 unreachable=0 failed=0 +nx1 : ok=1 changed=0 unreachable=0 failed=0 +veos1 : ok=1 changed=0 unreachable=0 failed=0 +vsrx : ok=1 changed=0 unreachable=0 failed=0 +``` + +Notice how there were 0 changes, but they still returned "ok" for each task. This verifies, as expected, that each of the modules in this playbook are idempotent. + + +### Summary + +Ansible is a super-simple automation platform that is agentless and extensible. The network community continues to rally around Ansible as a platform that can be used for network automation tasks that range from configuration management to data collection and reporting. You can push full configuration files with Ansible, configure specific network resources with idempotent modules such as interfaces or VLANs, or simply just automate the collection of information such as neighbors, serial numbers, uptime, and interface stats, and customize reports as you need them. + +Because of its architecture, Ansible proves to be a great tool available here and now that helps bridge the gap from _legacy CLI/SNMP_ network device automation to modern _API-driven_ automation. + +Ansible’s ease of use and agentless architecture accounts for the platform’s increasing following within the networking community. Again, this makes it possible to automate devices without APIs (CLI/SNMP); devices that have modern APIs, including standalone switches, routers, and Layer 4-7 service appliances; and even those software-defined networking (SDN) controllers that offer RESTful APIs. + +There is no device left behind when using Ansible for network automation. + + +----------- + +作者简介: + + ![](https://d3tdunqjn7n0wj.cloudfront.net/360x360/jason-edelman-crop-5b2672f569f553a3de3a121d0179efcb.jpg) + +Jason Edelman, CCIE 15394 & VCDX-NV 167, is a born and bred network engineer from the great state of New Jersey. He was the typical “lover of the CLI” or “router jockey.” At some point several years ago, he made the decision to focus more on software, development practices, and how they are converging with network engineering. Jason currently runs a boutique consulting firm, Network to Code, helping vendors and end users take advantage of new tools and technologies to reduce their operational inefficiencies. Jason has a Bachelor’s... + + +-------------------------------------------------------------------------------- + +via: https://www.oreilly.com/learning/network-automation-with-ansible + +作者:[Jason Edelman][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.oreilly.com/people/ee4fd-jason-edelman +[1]:https://www.oreilly.com/learning/network-automation-with-ansible#ansible_terminology_and_getting_started +[2]:https://www.oreilly.com/learning/network-automation-with-ansible#ansible_network_integrations +[3]:https://www.oreilly.com/learning/network-automation-with-ansible#ansible_terminology_and_getting_started +[4]:https://www.oreilly.com/learning/network-automation-with-ansible#handson_look_at_using_ansible_for_network_automation +[5]:http://docs.ansible.com/ansible/playbooks_vault.html +[6]:https://www.oreilly.com/people/ee4fd-jason-edelman +[7]:https://www.oreilly.com/people/ee4fd-jason-edelman From f756ac71df5aae0a28941ef271572324b9b14c39 Mon Sep 17 00:00:00 2001 From: Ezio Date: Sat, 31 Dec 2016 13:50:51 +0800 Subject: [PATCH 134/181] =?UTF-8?q?20161231-3=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sources/tech/20160510 What is Docker.md | 180 ++++++++++++++++++++++++ 1 file changed, 180 insertions(+) create mode 100644 sources/tech/20160510 What is Docker.md diff --git a/sources/tech/20160510 What is Docker.md b/sources/tech/20160510 What is Docker.md new file mode 100644 index 0000000000..d56d30e381 --- /dev/null +++ b/sources/tech/20160510 What is Docker.md @@ -0,0 +1,180 @@ +What is Docker? +================ + +![](https://d3tdunqjn7n0wj.cloudfront.net/720x480/card-catalog-crop-c76cf2c8b4881e6662c4e9058367a874.jpg) + +This is an excerpt from [Docker: Up and Running][3] by Karl Matthias and Sean P. Kane. It may contain references to unavailable content that is part of the larger resource. + + +Docker was first introduced to the world—with no pre-announcement and little fanfare—by Solomon Hykes, founder and CEO of dotCloud, in a five-minute [lightning talk][4] at the Python Developers Conference in Santa Clara, California, on March 15, 2013\. At the time of this announcement, only about 40 people outside dotCloud been given the opportunity to play with Docker. + +Within a few weeks of this announcement, there was a surprising amount of press. The project was quickly open-sourced and made publicly available on [GitHub][5], where anyone could download and contribute to the project. Over the next few months, more and more people in the industry started hearing about Docker and how it was going to revolutionize the way software was built, delivered, and run. And within a year, almost no one in the industry was unaware of Docker, but many were still unsure what it was exactly, and why people were so excited about. + +Docker is a tool that promises to easily encapsulate the process of creating a distributable artifact for any application, deploying it at scale into any environment, and streamlining the workflow and responsiveness of agile software organizations. + + + +### The Promise of Docker + +While ostensibly viewed as a virtualization platform, Docker is far more than that. Docker’s domain spans a few crowded segments of the industry that include technologies like KVM, Xen, OpenStack, Mesos, Capistrano, Fabric, Ansible, Chef, Puppet, SaltStack, and so on. There is something very telling about the list of products that Docker competes with, and maybe you’ve spotted it already. For example, most engineers would not say that virtualization products compete with configuration management tools, yet both technologies are being disrupted by Docker. The technologies in that list are also generally acclaimed for their ability to improve productivity and that’s what is causing a great deal of the buzz. Docker sits right in the middle of some of the most enabling technologies of the last decade. + +If you were to do a feature-by-feature comparison of Docker and the reigning champion in any of these areas, Docker would very likely look like a middling competitor. It’s stronger in some areas than others, but what Docker brings to the table is a feature set that crosses a broad range of workflow challenges. By combining the ease of application deployment tools like Capistrano and Fabric, with the ease of administrating virtualization systems, and then providing hooks that make workflow automation and orchestration easy to implement, Docker provides a very enabling feature set. + +Lots of new technologies come and go, and a dose of skepticism about the newest rage is always healthy. Without digging deeper, it would be easy to dismiss Docker as just another technology that solves a few very specific problems for developers or operations teams. If you look at Docker as a virtualization or deployment technology alone, it might not seem very compelling. But Docker is much more than it seems on the surface. + +It is hard and often expensive to get communication and processes right between teams of people, even in smaller organizations. Yet we live in a world where the communication of detailed information between teams is increasingly required to be successful. A tool that reduces the complexity of that communication while aiding in the production of more robust software would be a big win. And that’s exactly why Docker merits a deeper look. It’s no panacea, and implementing Docker well requires some thought, but Docker is a good approach to solving some real-world organizational problems and helping enable companies to ship better software faster. Delivering a well-designed Docker workflow can lead to happier technical teams and real money for the organization’s bottom line. + +So where are companies feeling the most pain? Shipping software at the speed expected in today’s world is hard to do well, and as companies grow from one or two developers to many teams of developers, the burden of communication around shipping new releases becomes much heavier and harder to manage. Developers have to understand a lot of complexity about the environment they will be shipping software into, and production operations teams need to increasingly understand the internals of the software they ship. These are all generally good skills to work on because they lead to a better understanding of the environment as a whole and therefore encourage the designing of robust software, but these same skills are very difficult to scale effectively as an organization’s growth accelerates. + +The details of each company’s environment often require a lot of communication that doesn’t directly build value in the teams involved. For example, requiring developers to ask an operations team for _release 1.2.1_ of a particular library slows them down and provides no direct business value to the company. If developers could simply upgrade the version of the library they use, write their code, test with the new version, and ship it, the delivery time would be measurably shortened. If operations people could upgrade software on the host system without having to coordinate with multiple teams of application developers, they could move faster. Docker helps to build a layer of isolation in software that reduces the burden of communication in the world of humans. + +Beyond helping with communication issues, Docker is opinionated about software architecture in a way that encourages more robustly crafted applications. Its architectural philosophy centers around atomic or throwaway containers. During deployment, the whole running environment of the old application is thrown away with it. Nothing in the environment of the application will live longer than the application itself and that’s a simple idea with big repercussions. It means that applications are not likely to accidentally rely on artifacts left by a previous release. It means that ephemeral debugging changes are less likely to live on in future releases that picked them up from the local filesystem. And it means that applications are highly portable between servers because all state has to be included directly into the deployment artifact and be immutable, or sent to an external dependency like a database, cache, or file server. + +This leads to applications that are not only more scalable, but more reliable. Instances of the application container can come and go with little repercussion on the uptime of the frontend site. These are proven architectural choices that have been successful for non-Docker applications, but the design choices included in Docker’s own design mean that Dockerized applications will follow these best practices by requirement and that’s a good thing. + + + +### Benefits of the Docker Workflow + +It’s hard to cohesively group into categories all of the things Docker brings to the table. When implemented well, it benefits organizations, teams, developers, and operations engineers in a multitude of ways. It makes architectural decisions simpler because all applications essentially look the same on the outside from the hosting system’s perspective. It makes tooling easier to write and share between applications. Nothing in this world comes with benefits and no challenges, but Docker is surprisingly skewed toward the benefits. Here are some more of the things you get with Docker: + + + +Packaging software in a way that leverages the skills developers already have. + + + +Many companies have had to create positions for release and build engineers in order to manage all the knowledge and tooling required to create software packages for their supported platforms. Tools like rpm, mock, dpkg, and pbuilder can be complicated to use, and each one must be learned independently. Docker wraps up all your requirements together into one package that is defined in a single file. + + + +Bundling application software and required OS filesystems together in a single standardized image format. + + + +In the past, you typically needed to package not only your application, but many of the dependencies that it relied on, including libraries and daemons. However, you couldn’t ever ensure that 100 percent of the execution environment was identical. All of this made packaging difficult to master, and hard for many companies to accomplish reliably. Often someone running Scientific Linux would resort to trying to deploy a community package tested on Red Hat Linux, hoping that the package was close enough to what they needed. With Docker you deploy your application along with every single file required to run it. Docker’s layered images make this an efficient process that ensures that your application is running in the expected environment. + + + +Using packaged artifacts to test and deliver the exact same artifact to all systems in all environments. + + + +When developers commit changes to a version control system, a new Docker image can be built, which can go through the whole testing process and be deployed to production without any need to recompile or repackage at any step in the process. + + + +Abstracting software applications from the hardware without sacrificing resources. + + + +Traditional enterprise virtualization solutions like VMware are typically used when people need to create an abstraction layer between the physical hardware and the software applications that run on it, at the cost of resources. The hypervisors that manage the VMs and each VM’s running kernel use a percentage of the hardware system’s resources, which are then no longer available to the hosted applications. A container, on the other hand, is just another process that talks directly to the Linux kernel and therefore can utilize more resources, up until the system or quota-based limits are reached. + + + + + +When Docker was first released, Linux containers had been around for quite a few years, and many of the other technologies that it is built on are not entirely new. However, Docker’s unique mix of strong architectural and workflow choices combine together into a whole that is much more powerful than the sum of its parts. Docker finally makes Linux containers, which have been around for more than a decade, approachable to the average technologist. It fits containers relatively easily into the existing workflow and processes of real companies. And the problems discussed above have been felt by so many people that interest in the Docker project has been accelerating faster than anyone could have reasonably expected. + +In the first year, newcomers to the project were surprised to find out that Docker wasn’t already production-ready, but a steady stream of commits from the open source Docker community has moved the project forward at a very brisk pace. That pace seems to only pick up steam as time goes on. As Docker has now moved well into the 1.x release cycle, stability is good, production adoption is here, and many companies are looking to Docker as a solution to some of the serious complexity issues that they face in their application delivery processes. + + + + + + + +### What Docker Isn’t + +Docker can be used to solve a wide breadth of challenges that other categories of tools have traditionally been enlisted to fix; however, Docker’s breadth of features often means that it lacks depth in specific functionality. For example, some organizations will find that they can completely remove their configuration management tool when they migrate to Docker, but the real power of Docker is that although it can replace some aspects of more traditional tools, it is usually compatible with them or even augmented by combining with them, as well. In the following list, we explore some of the tool categories that Docker doesn’t directly replace but that can often be used in conjunction to achieve great results: + + + +Enterprise Virtualization Platform (VMware, KVM, etc.) + + + +A container is not a virtual machine in the traditional sense. Virtual machines contain a complete operating system, running on top of the host operating system. The biggest advantage is that it is easy to run many virtual machines with radically different operating systems on a single host. With containers, both the host and the containers share the same kernel. This means that containers utilize fewer system resources, but must be based on the same underlying operating system (i.e., Linux). + + + +Cloud Platform (Openstack, CloudStack, etc.) + + + +Like Enterprise virtualization, the container workflow shares a lot of similarities on the surface with cloud platforms. Both are traditionally leveraged to allow applications to be horizontally scaled in response to changing demand. Docker, however, is not a cloud platform. It only handles deploying, running, and managing containers on pre-existing Docker hosts. It doesn’t allow you to create new host systems (instances), object stores, block storage, and the many other resources that are typically associated with a cloud platform. + + + +Configuration Management (Puppet, Chef, etc.) + + + +Although Docker can significantly improve an organization’s ability to manage applications and their dependencies, it does not directly replace more traditional configuration management. Dockerfiles are used to define how a container should look at build time, but they do not manage the container’s ongoing state, and cannot be used to manage the Docker host system. + + + +Deployment Framework (Capistrano, Fabric, etc.) + + + +Docker eases many aspects of deployment by creating self-contained container images that encapsulate all the dependencies of an application and can be deployed, in all environments, without changes. However, Docker can’t be used to automate a complex deployment process by itself. Other tools are usually still needed to stitch together the larger workflow automation. + + + +Workload Management Tool (Mesos, Fleet, etc.) + + + +The Docker server does not have any internal concept of a cluster. Additional orchestration tools (including Docker’s own Swarm tool) must be used to coordinate work intelligently across a pool of Docker hosts, and track the current state of all the hosts and their resources, and keep an inventory of running containers. + + + +Development Environment (Vagrant, etc.) + + + +Vagrant is a virtual machine management tool for developers that is often used to simulate server stacks that closely resemble the production environment in which an application is destined to be deployed. Among other things, Vagrant makes it easy to run Linux software on Mac OS X and Windows-based workstations. Since the Docker server only runs on Linux, Docker originally provided a tool called Boot2Docker to allow developers to quickly launch Linux-based Docker machines on various platforms. Boot2Docker is sufficient for many standard Docker workflows, but it doesn’t provide the breadth of features found in Docker Machine and Vagrant. + + + + + +Wrapping your head around Docker can be challenging when you are coming at it without a strong frame of reference. In the next chapter we will lay down a broad overview of Docker, what it is, how it is intended to be used, and what advantages it brings to the table when implemented with all of this in mind. + + +----------------- +作者简介: + +#### [Karl Matthias][1] + +Karl Matthias has worked as a developer, systems administrator, and network engineer for everything from startups to Fortune 500 companies. After working for startups overseas for a few years in Germany and the UK, he has recently returned with his family to Portland, Oregon to work as Lead Site Reliability Engineer at New Relic. When not devoting his time to things digital, he can be found herding his two daughters, shooting film with vintage cameras, or riding one of his bicycles. + + + + + +#### [Sean Kane][2] + +Sean Kane is currently a Lead Site Reliability Engineer for the Shared Infrastructure Team at New Relic. He has had a long career in production operations, with many diverse roles, in a broad range of industries. He has spoken about subjects like alerting fatigue and hardware automation at various meet-ups and technical conferences, including Velocity. Sean spent most of his youth living overseas, and exploring what life has to offer, including graduating from the Ringling Brother & Barnum & Bailey Clown College, completing 2 summer internship... + + + +-------------------------------------------------------------------------------- + +via: https://www.oreilly.com/learning/what-is-docker + +作者:[Karl Matthias ][a],[Sean Kane][b] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.oreilly.com/people/5abbf-karl-matthias +[b]:https://www.oreilly.com/people/d5ce6-sean-kane +[1]:https://www.oreilly.com/people/5abbf-karl-matthias +[2]:https://www.oreilly.com/people/d5ce6-sean-kane +[3]:http://shop.oreilly.com/product/0636920036142.do?intcmp=il-security-books-videos-update-na_new_site_what_is_docker_text_cta +[4]:http://youtu.be/wW9CAH9nSLs +[5]:https://github.com/docker/docker +[6]:https://commons.wikimedia.org/wiki/File:2009_3962573662_card_catalog.jpg From 6f277f0a52b1736a1c9f695ee2a4254c63842628 Mon Sep 17 00:00:00 2001 From: Ezio Date: Sat, 31 Dec 2016 13:57:41 +0800 Subject: [PATCH 135/181] =?UTF-8?q?20161231-4=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ... INSTALL AND REMOVE SOFTWARE IN UBUNTU .md | 300 ++++++++++++++++++ 1 file changed, 300 insertions(+) create mode 100644 sources/tech/20161221 HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU .md diff --git a/sources/tech/20161221 HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU .md b/sources/tech/20161221 HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU .md new file mode 100644 index 0000000000..1f940eb530 --- /dev/null +++ b/sources/tech/20161221 HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU .md @@ -0,0 +1,300 @@ +HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU [COMPLETE GUIDE] +============================================================ + + ![Complete guide for installing and removing applications in Ubuntu](https://itsfoss.com/wp-content/uploads/2016/12/Managing-Software-in-Ubuntu-1.jpg) + +_Brief: This detailed guide shows you various ways to install software_ _in Ubuntu Linux and it also demonstrates how to remove installed software in Ubuntu._ + +When you [switch to Linux][14], the experience could be overwhelming at the start. Even the basic things like installing applications in Ubuntu could seem confusing. + +Don’t worry. Linux provides so many ways to do the same task that it is only natural that you may seem lost, at least in the beginning. You are not alone. We have all been to that stage. + +In this beginner’s guide, I’ll show most popular ways to install software in Ubuntu. I’ll also show you how to uninstall the software you had installed earlier. + +I’ll also provide my recommendation about which method you should be using for installing software in Ubuntu. Sit tight and pay attention. This is a long article, a detailed one which is surely going to add to your knowledge. + +### INSTALLING AND UNINSTALLING SOFTWARE IN UBUNTU + +I am using Ubuntu 16.04 running with Unity desktop environment in this guide. Apart from a couple of screenshots, this guide is applicable to all other flavors of Ubuntu. + +### 1.1 INSTALL SOFTWARE USING UBUNTU SOFTWARE CENTER [RECOMMENDED] + +The easiest and most convenient way to find and install software in Ubuntu is by using Ubuntu Software Center. In Ubuntu Unity, you can search for Ubuntu Software Center in Dash and click on it to open it: + +[ + ![Run Ubuntu Software Center](https://itsfoss.com/wp-content/uploads/2016/12/Ubuntu-Software-Center.png) +][15] + + +You can think of Ubuntu Software Center as Google’s Play Store or Apple’s App Store. It showcases all the software available for your Ubuntu system. You can either search for an application by its name or just browse through various categories of software. You can also opt for the editor’s pick. Your choice mainly. + + ![Installing software in Ubuntu using Ubuntu Software Center](https://itsfoss.com/wp-content/uploads/2016/12/install-software-Ubuntu-linux.jpeg) + +Once you have found the application you are looking for, simply click on it. This will open a page inside Software Center with a description of the application. You can read the description, see its raiting and also read reviews. You can also write a review if you want. + +Once you are convinced that you want the application, you can click on the install button to install the selected application. You’ll have to enter your password in order to install applications in Ubuntu. + +[ + ![Installing software in Ubuntu: The easy way](https://itsfoss.com/wp-content/uploads/2016/12/install-software-Ubuntu-linux-1.jpg) +][16] + +Can it be any easier than this? I doubt that. + +Tip: As I had mentioned in [things to do after installing Ubuntu 16.04][17], you should enable Canonical partner repository. By default, Ubuntu provides only those softwares that come from its own repository (verified by Ubuntu). + +But there is also a Canonical Partner repository which is not directly controlled by Ubuntu and includes closed source proprietary software. Enabling this repository gives you access to more software. [Installing Skype in Ubuntu][18] is achieved by this method. + +In Unity Dash, look for Software & Updates. + +[ + ![Ubuntu Software Update Settings](https://itsfoss.com/wp-content/uploads/2014/08/Software_Update_Ubuntu.jpeg) +][19] + +And in here, under Other Software tab, check the options of Canonical Partners. + +[ + ![Enable Canonical partners in Ubuntu 14.04](https://itsfoss.com/wp-content/uploads/2014/04/Enable_Canonical_Partner.jpeg) +][20] + + + +### 1.2 REMOVE SOFTWARE USING UBUNTU SOFTWARE CENTER [RECOMMENDED] + +We just saw how to install software using Ubuntu Software Center. How about removing software that you had installed using this method? + +Uninstalling software with Ubuntu Software Center is as easy as the installation process itself. + +Open the Software Center and click on the Installed tab. It will show you all the installed software. Alternatively, you can just search for the application by its name. + +To remove the application from Ubuntu, simply click on Remove button. Again you will have to provide your password here. + +[ + ![Uninstall software installed in Ubuntu](https://itsfoss.com/wp-content/uploads/2016/12/Uninstall-Software-Ubuntu.jpeg) +][22] + +### 2.1 INSTALL SOFTWARE IN UBUNTU USING .DEB FILES + +.deb files are similar to the .exe files in Windows. This is an easy way to provide software installation. Many software vendors provide their software in .deb format. Google Chrome is such an example. + +You can download .deb file from the official website. + +[ + ![Downloading deb packaging](https://itsfoss.com/wp-content/uploads/2016/12/install-software-deb-package.png) +][23] + +Once you have downloaded the .deb file, just double click on it to run it. It will open in Ubuntu Software Center and you can install it in the same way as we saw in section 1.1. + +Alternatively, you can use a lightweight program [Gdebi to install .deb files in Ubuntu][24]. + +Once you have installed the software, you are free to delete the downloaded .deb file. + +Tip: A few things to keep in mind while dealing with .deb file. + +* Make sure that you are downloading the .deb file from the official source. Only rely on the official website or GitHub pages. +* Make sure that you are downloading the .deb file for correct system type (32 bit or 64 bit). Read our quick guide to [know if your Ubuntu system is 32 bit or 64 bit][8]. + +### 2.2 REMOVE SOFTWARE THAT WAS INSTALLED USING .DEB + +Removing software that was installed by a .deb file is the same as we saw earlier in section 1.2\. Just go to Ubuntu Software Center, search for the application name and click on remove to uninstall it. + +Alternatively, you can use [Synaptic Package Manager][25]. Not necessarily but this may happen that the installed application is not visible in Ubuntu Software Center. Synaptic Package Manager is lists all the software that are available for your system and all the software that are already installed on your system.This is a very powerful and very useful tool. + +This is a very powerful and very useful tool. Before Ubuntu Software Center came into existence to provide a more user-friendly approach to software installation, Synaptic was the default program for installing and uninstalling software in Ubuntu. + +You can install Synaptic package manager by clicking on the link below (it will open Ubuntu Software Center). + +[Install Synaptic Package Manager][26] + +Open Synaptic Manager and then search for the software you want to uninstall. Installed softwares are marked with a green button. Click on it and select “mark for removal”. Once you do that, click on “apply” to remove the selected software. + +[ + ![Using Synaptic to remove software in Ubuntu](https://itsfoss.com/wp-content/uploads/2016/12/uninstall-software-ubuntu-synaptic.jpeg) +][27] + +### 3.1 INSTALL SOFTWARE IN UBUNTU USING APT COMMANDS [RECOMMENDED] + +You might have noticed a number of websites giving you a command like “sudo apt-get install” to install software in Ubuntu. + +This is actually the command line equivalent of what we saw in section 1\. Basically, instead of using the graphical interface of Ubuntu Software Center, you are using the command line interface. Nothing else changes. + +Using the apt-get command to install software is extremely easy. All you need to do is to use a command like: + +``` +sudo apt-get install package_name +``` + +Here sudo gives ‘admin’ or ‘root’ (in Linux term) privileges. You can replace package_name with the desired software name. + +apt-get commands have auto-completion so if you type a few letters and hit tab, it will provide all the programs matching with those letters. + +### 3.2 REMOVE SOFTWARE IN UBUNTU USING APT COMMANDS [RECOMMENDED] + +You can easily remove softwares that were installed using Ubuntu Software Center, apt command or .deb file using the command line. + +All you have to do is to use the following command, just replace the package_name with the software name you want to delete. + +``` +sudo apt-get remove package_name +``` + +Here again, you can benefit from auto completion by pressing the tab key. + +Using apt-get commands is not rocket science. This is in fact very convenient. With these simple commands, you get acquainted with the command line part of Ubuntu Linux and it does help in long run. I recommend reading my detailed [guide on using apt-get commands][28] to learn in detail about it. + +[Suggested ReadUsing apt-get Commands In Linux [Complete Beginners Guide]][29] + +### 4.1 INSTALL APPLICATIONS IN UBUNTU USING PPA + +PPA stands for [Personal Package Archive][30]. This is another way that developers use to provide their software to Ubuntu users. + +In section 1, you came across a term called ‘repository’. Repository basically contains a collection of software. Ubuntu’s official repository has the softwares that are approved by Ubuntu. Canonical partner repository contains the softwares from partnered vendors. + +In the same way, PPA enables a developer to create its own APT repository. When an end user (i.e you) adds this repository to the system (sources.list is modified with this entry), software provided by the developer in his/her repository becomes available for the user. + +Now you may ask what’s the need of PPA when we already have the official Ubuntu repository? + +The answer is that not all software automatically get added to Ubuntu’s official repository. Only the trusted software make it to that list. Imagine that you developed a cool Linux application and you want to provide regular updates to your users but it will take months before it could be added to Ubuntu’s repository (if it could). PPA comes handy in those cases. + +Apart from that, Ubuntu’s official repository often doesn’t include the latest version of a software. This is done to secure the stability of the Ubuntu system. A brand new software version might have a [regression][31] that could impact the system. This is why it takes some time before a new version makes it to the official repository, sometimes it takes months. + +But what if you do not want to wait till the latest version comes to the Ubuntu’s official repository? This is where PPA saves your day. By using PPA, you get the newer version. + +Typically PPA are used in three commands. First to add the PPA repository to the sources list. Second to update the cache of software list so that your system could be aware of the new available software. And third to install the software from the PPA. + +I’ll show you an example by using [Numix theme][32] PPA: + +``` +sudo add-apt-repository ppa:numix/ppa +sudo apt-get update +sudo apt-get install numix-gtk-theme numix-icon-theme-circle +``` + +In the above example, we added a PPA provided [Numix project][33]. And after updating the software information, we add two programs available in Numix PPA. + +If you want a GUI application, you can use [Y-PPA application][34]. It lets you search for PPA, add and remove software in a better way. + +Tip: Security of PPA has often debated. My advice is that you should add PPA from a trusted source, preferably from the official sources. + +### 4.2 REMOVE APPLICATIONS INSTALLED USING PPA + +I have discussed [removing PPA in Ubuntu][35] in detail earlier. You should refer to that article to get more insights about handling PPA removal. + +To quickly discuss it here, you can use the following two commands. + +``` +sudo apt-get remove numix-gtk-theme numix-icon-theme-circle +``` + +``` +sudo add-apt-repository --remove ppa:numix/ppa +``` + +First command removes the software installed via the PPA. Second command removes the PPA from sources.list. + +### 5.1 INSTALLING SOFTWARE USING SOURCE CODE IN UBUNTU LINUX [NOT RECOMMENDED] + +Installing a software using the [source code][36] is not something I would recommend to you. It’s tedious, troublesome and not very convenient. You’ll have to fight your way through dependencies and what not. You’ll have to keep the source code files else you won’t be able to uninstall it later. + +But building from source code is still liked by a few, even if they are not developing software of their own. To tell you the truth, last I used source code extensively was 5 years ago when I was an intern and I had to develop a software in Ubuntu. I have preferred the other ways to install applications in Ubuntu since then. For normal desktop Linux user, installing from source code should be best avoided. + +I’ll be short in this section and just list out the steps to install a software from source code: + +* Download the source code of the program you want to install. +* Extract the downloaded file. +* Go to extracted directory and look for a README or INSTALL file. A well-developed software may include such a file to provide installation and/or removal instructions. +* Look for a file called configure. If it’s present, run the file using the command: ./configure This will check if your system has all the required softwares (called ‘dependencies’ in software term) to install the program. Note that not all software include configure file which is, in my opinion, bad development practice. +* If configure notifies you of missing dependencies, install them. +* Once you have everything, use the command make to compile the program. +* Once the program is compiled, run the command sudo make install to install the software. + +Do note that some softwares provide you with an install script and just running that files will install the software for you. But you won’t be that lucky most of the time. + +Also note that the program you installed using this way won’t be updated automatically like programs installed from Ubuntu’s repository or PPAs or .deb. + +I recommend reading this detailed article on [using the source code in Ubuntu][37] if you insist on using source code. + +### 5.2 REMOVING SOFTWARE INSTALLED USING SOURCE CODE [NOT RECOMMENDED] + +If you thought installing software from source code was difficult, think again. Removing the software installed using source code could be a bigger pain. + +* First, you should not delete the source code you used to install the program. +* Second, you should make sure at the installation time that there is a way to uninstall the program. A badly configured program might not provide a way to uninstall the program and then you’ll have to manually remove all the files installed by the software. + +Normally, you should be able to uninstall the program by going to its extracted directory and using this command: + +``` +sudo make uninstall +``` + +But this is not a guarantee that you’ll get this uninstall all the time. + +You see, there are lots of ifs and buts attached with source code and not that many advantages. This is the reason why I do not recommend using the source code to install the software in Ubuntu. + +### FEW MORE WAYS TO INSTALL APPLICATIONS IN UBUNTU + +There are a few more (not so popular) ways you can install software in Ubuntu. Since this article is already way too long, I won’t cover them. I am just going to list them here: + +* Ubuntu’s new [Snap packaging][9]. +* [dpkg][10] commands +* [AppImage][11] +* [pip][12] : used for installing Python based programs + +### HOW DO YOU INSTALL APPLICATIONS IN UBUNTU? + +If you have already been using Ubuntu, what’s your favorite way to install software in Ubuntu Linux? Did you find this guide useful? Do share your views, suggestions and questions. + +-------------------- + +作者简介: +![](https://secure.gravatar.com/avatar/20749c268f5d3e4d2c785499eb6a17c0?s=70&d=mm&r=g) + +I am Abhishek Prakash, 'creator' of It's F.O.S.S. Working as a software professional. I am an avid Linux lover and Open Source enthusiast. I use Ubuntu and believe in sharing knowledge. Apart from Linux, I love classic detective mystery. Huge fan of Agatha Christie work. + +-------------------------------------------------------------------------------- + +via: https://itsfoss.com/remove-install-software-ubuntu/ + +作者:[ABHISHEK PRAKASH][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://itsfoss.com/author/abhishek/ +[1]:https://itsfoss.com/author/abhishek/ +[2]:https://itsfoss.com/remove-install-software-ubuntu/#comments +[3]:http://www.facebook.com/share.php?u=https%3A%2F%2Fitsfoss.com%2Fremove-install-software-ubuntu%2F%3Futm_source%3Dfacebook%26utm_medium%3Dsocial%26utm_campaign%3DSocialWarfare +[4]:https://twitter.com/share?original_referer=/&text=How+To+Install+And+Remove+Software+In+Ubuntu+%5BComplete+Guide%5D&url=https://itsfoss.com/remove-install-software-ubuntu/%3Futm_source%3Dtwitter%26utm_medium%3Dsocial%26utm_campaign%3DSocialWarfare&via=abhishek_pc +[5]:https://plus.google.com/share?url=https%3A%2F%2Fitsfoss.com%2Fremove-install-software-ubuntu%2F%3Futm_source%3DgooglePlus%26utm_medium%3Dsocial%26utm_campaign%3DSocialWarfare +[6]:https://www.linkedin.com/cws/share?url=https%3A%2F%2Fitsfoss.com%2Fremove-install-software-ubuntu%2F%3Futm_source%3DlinkedIn%26utm_medium%3Dsocial%26utm_campaign%3DSocialWarfare +[7]:https://www.reddit.com/submit?url=https://itsfoss.com/remove-install-software-ubuntu/&title=How+To+Install+And+Remove+Software+In+Ubuntu+%5BComplete+Guide%5D +[8]:https://itsfoss.com/32-bit-64-bit-ubuntu/ +[9]:https://itsfoss.com/use-snap-packages-ubuntu-16-04/ +[10]:https://help.ubuntu.com/lts/serverguide/dpkg.html +[11]:http://appimage.org/ +[12]:https://pypi.python.org/pypi/pip +[13]:https://itsfoss.com/remove-install-software-ubuntu/managing-software-in-ubuntu-1/ +[14]:https://itsfoss.com/reasons-switch-linux-windows-xp/ +[15]:https://itsfoss.com/wp-content/uploads/2016/12/Ubuntu-Software-Center.png +[16]:https://itsfoss.com/remove-install-software-ubuntu/install-software-ubuntu-linux-1/ +[17]:https://itsfoss.com/things-to-do-after-installing-ubuntu-16-04/ +[18]:https://itsfoss.com/install-skype-ubuntu-1404/ +[19]:https://itsfoss.com/ubuntu-notify-updates-frequently/software_update_ubuntu/ +[20]:https://itsfoss.com/things-to-do-after-installing-ubuntu-14-04/enable_canonical_partner/ +[21]:https://itsfoss.com/essential-linux-applications/ +[22]:https://itsfoss.com/remove-install-software-ubuntu/uninstall-software-ubuntu/ +[23]:https://itsfoss.com/remove-install-software-ubuntu/install-software-deb-package/ +[24]:https://itsfoss.com/gdebi-default-ubuntu-software-center/ +[25]:http://www.nongnu.org/synaptic/ +[26]:apt://synaptic +[27]:https://itsfoss.com/remove-install-software-ubuntu/uninstall-software-ubuntu-synaptic/ +[28]:https://itsfoss.com/apt-get-linux-guide/ +[29]:https://itsfoss.com/apt-get-linux-guide/ +[30]:https://help.launchpad.net/Packaging/PPA +[31]:https://en.wikipedia.org/wiki/Software_regression +[32]:https://itsfoss.com/install-numix-ubuntu/ +[33]:https://numixproject.org/ +[34]:https://itsfoss.com/easily-manage-ppas-ubuntu-1310-ppa-manager/ +[35]:https://itsfoss.com/how-to-remove-or-delete-ppas-quick-tip/ +[36]:https://en.wikipedia.org/wiki/Source_code +[37]:http://www.howtogeek.com/105413/how-to-compile-and-install-from-source-on-ubuntu/ From 1c46ee3c793b8de97ecca4868c721d3f4e9481a7 Mon Sep 17 00:00:00 2001 From: Ezio Date: Sat, 31 Dec 2016 14:08:06 +0800 Subject: [PATCH 136/181] =?UTF-8?q?20161231-5=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../20161221 Living Android without Kotlin.md | 242 ++++++++++++++++++ 1 file changed, 242 insertions(+) create mode 100644 sources/tech/20161221 Living Android without Kotlin.md diff --git a/sources/tech/20161221 Living Android without Kotlin.md b/sources/tech/20161221 Living Android without Kotlin.md new file mode 100644 index 0000000000..b22696131d --- /dev/null +++ b/sources/tech/20161221 Living Android without Kotlin.md @@ -0,0 +1,242 @@ +Living (Android) without Kotlin +============================================================ + +![](https://cdn-images-1.medium.com/max/2000/1*Fd349rzh3XWwSbCP2IV7zA.jpeg) + +> It is easier to get into something than to get out of it. — Donald Rumsfeld + +Living without Kotlin is like playing Warcraft III on the touchpad. Buying a mouse is simple but what can you do if your new employer does not want to let you use Kotlin in production? + +There are a few options. + +* Fight with your product owner to obtain the rights to use Kotlin. +* Use Kotlin and do not tell anyone about it because you know best what is best for you. +* Wipe away your tears and use Java in all its glory. + +Imagine that you lost the battle with your product owner and as a professional engineer, you will not lie and use hipster technology without anyone’s permission. I know that it sounds pretty scary especially when you have already tasted Kotlin but do not lose your hope. + +In further parts of this article, I want to shortly describe some Kotlin features that you can apply to your Android Java code through some well-known tools and libraries. A rudimentary understanding of Kotlin and Java is required. + +### Data classes + +You really do love Kotlin’s data classes, don't you? It is so easy to get `equals()`, `hashCode()`, `toString()` and `copy()` generated for you. To be specific `data` keyword also generates `componentN()` functions corresponding to the properties in their order of declaration. They are used in destructuring declarations. + +``` +data class Person(val name: String) +val (riddle) = Person("Peter") +println(riddle) +``` + +Do you know what will be printed? For sure it will not be the value returned from the `toString()` of the `Person` class. Here is where the destructuring declaration comes to play and assigns a value from `name` to `riddle`. Using parenthesis for `(riddle)` compiler knows that it has to use destructuring declaration mechanism. + + +``` +val (riddle): String = Person("Peter").component1() +println(riddle) // prints Peter +view raw +``` + +>The code does not compile. It is just to show how does the destructuring declaration work. + +As you can see `data` keyword is a super useful language feature so what can you do to bring it to your Java world? Use annotation processor and modify the Abstract Syntax Tree. If you want to go deeper please read the article listed at the end(Project Lombok — Trick Explained). + +Using project Lombok you can achieve almost the same functionality that `data` keyword provides. Unfortunately, there is no way to have destructuring declarations. + +``` +import lombok.Data; + +@Data class Person { + final String name; +} +``` + + +`@Data` annotation generates `equals()`, `hashCode()` and `toString()`. Additionally, it creates getters for all fields, setters for all non-final fields and constructor with all required fields(finals). It is worth to be aware of that Lombok is used just for compilation so the library code will not be added to your final `.apk`. + +### Lambda expressions + +Android engineers have a pretty tough life because of lack of Java 8 features and one of them are lambda expressions. Lambdas are great as they cut down tons of boilerplate for you. You can use them in your callbacks and streams. In Kotlin lambda expressions are built-in and they look way much better than they look in Java. Moreover, the bytecode of the lambda can be inserted directly into the bytecode of the calling method, so the method count does not increase. It can be done using inline functions. + +``` +button.setOnClickListener { println("Hello World") } +``` + +Lately Google announced support for Java 8 features in Android and thanks to Jack compiler you can use lambdas in your code. It is also good to mention that they are available on API level 23 and lower. + +``` +button.setOnClickListener(view -> System.out.println("Hello World!")); +``` + +How to enable them? Just add those several lines to your `build.gradle` file. + +``` +defaultConfig { + jackOptions { + enabled true + } +} + +compileOptions { + sourceCompatibility JavaVersion.VERSION_1_8 + targetCompatibility JavaVersion.VERSION_1_8 +} +``` + +If you are not a fan of Jack compiler or for some reasons you cannot use it, there is a different solution for you. Project Retrolambda lets you run Java 8 code with lambda expressions and method references on Java 7, 6 or 5 and here is the setup. + +``` +dependencies { + classpath 'me.tatarka:gradle-retrolambda:3.4.0' +} + +apply plugin: 'me.tatarka.retrolambda' + +compileOptions { + sourceCompatibility JavaVersion.VERSION_1_8 + targetCompatibility JavaVersion.VERSION_1_8 +} +``` + +As I mentioned before inline functions in lambdas in Kotlin do not increase method count but what about using them with Jack or Retrolambda? Obviously, they do not come for free and the hidden costs are listed below. + + + ![](https://cdn-images-1.medium.com/max/800/1*H7h2MB2auMslMkdaDtqAfg.png) + +### Data manipulations + +Kotlin introduces higher-order functions as a replacement for streams. They are extremely useful when you have to transform one set of data to another or filter the collection. + +``` +fun foo(persons: MutableList) { + persons.filter { it.age >= 21 } + .filter { it.name.startsWith("P") } + .map { it.name } + .sorted() + .forEach(::println) +} + +data class Person(val name: String, val age: Int) +``` + +Streams are also provided by Google using Jack compiler. Unfortunately, Jack does not work with Lombok because it skips generating intermediate `.class` files when compiling the code and Lombok depends on these files. + +``` +void foo(List persons) { + persons.stream() + .filter(it -> it.getAge() >= 21) + .filter(it -> it.getName().startsWith("P")) + .map(Person::getName) + .sorted() + .forEach(System.out::println); +} + +class Person { + final private String name; + final private int age; + + public Person(String name, int age) { + this.name = name; + this.age = age; + } + + String getName() { return name; } + int getAge() { return age; } +} +``` + +That is too good to be true so where is the catch? Sadly, streams are available from API 24\. Good job Google but in what universe apps have `minSdkVersion = 24`? + +Fortunately Android platform has an awesome open source community which produces a lot of great libraries. Lightweight-Stream-API is one of them and it contains streams implementation based on iterators for Java 7 and below. + +``` +import lombok.Data; +import com.annimon.stream.Stream; + +void foo(List persons) { + Stream.of(persons) + .filter(it -> it.getAge() >= 21) + .filter(it -> it.getName().startsWith("P")) + .map(Person::getName) + .sorted() + .forEach(System.out::println); +} + +@Data class Person { + final String name; + final int age; +} +``` + +The sample above combines Lombok, Retrolambda, and Lightweight-Stream-API and it looks almost as good as Kotlin, doesn’t it. Using static factory method allows you to transform any Iterable into a stream and apply lambdas on it as on Java 8 streams. It would be perfect to wrap the static invocation `Stream.of(persons)` into extension function of Iterable type but Java does not support it. + +### Extension functions + +Extension mechanism provides an ability to add functionality to a class without having to inherit from it. This well-known concept fits great in the Android world and that is why Kotlin is so popular in the community. + +Is there any technique or magic trick that brings extension functions to your Java toolbox? Thanks to Lombok you can use them as an experimental feature. According to what Lombok documentation says they want to move it out of experimental status with no or minor changes soon. Let’s refactor last sample and wrap `Stream.of(persons)` into extension function. + +``` +import lombok.Data; +import lombok.experimental.ExtensionMethod; + +@ExtensionMethod(Streams.class) +public class Foo { + void foo(List persons) { + persons.toStream() + .filter(it -> it.getAge() >= 21) + .filter(it -> it.getName().startsWith("P")) + .map(Person::getName) + .sorted() + .forEach(System.out::println); + } +} + +@Data class Person { + final String name; + final int age; +} + +class Streams { + static Stream toStream(List list) { + return Stream.of(list); + } +} +``` + +All methods that are `public`, `static`, and have at least one argument whose type is not primitive, are considered extension methods. `@ExtensionMethod` annotation allows you to specify a class that contains your extension functions. Instead of using one `.class` object you can also pass an array. + +* * * + +I am fully aware that some of my thoughts are pretty controversial especially Lombok ones and I also know that there are a lot of other libraries that can make your life easier. Please do not hesitate to share your experience in comments. Cheers! + + ![](https://cdn-images-1.medium.com/max/800/1*peB9mmElOn6xwR3eH0HXXA.png) + + + +--------------------------------- + +作者简介: + +![](https://cdn-images-1.medium.com/fit/c/60/60/1*l7_L6VCKzkOm0gq4Kplnkw.jpeg) + +Coder and professional dreamer @ Grid Dynamics + +-------------------------------------------------------------------------------- + +via: https://hackernoon.com/living-android-without-kotlin-db7391a2b170#.q95i5232f + +作者:[Piotr Ślesarew][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://hackernoon.com/@piotr.slesarew?source=post_header_lockup +[1]:http://jakewharton.com/exploring-java-hidden-costs/ +[2]:https://medium.com/u/8ddd94878165 +[3]:https://projectlombok.org/index.html +[4]:https://github.com/aNNiMON/Lightweight-Stream-API +[5]:https://github.com/orfjackal/retrolambda +[6]:http://notatube.blogspot.com/2010/11/project-lombok-trick-explained.html +[7]:http://notatube.blogspot.com/2010/11/project-lombok-trick-explained.html +[8]:https://twitter.com/SliskiCode From 1859d8875fd3ddbd3eb0b837bb2dea853ac40b9b Mon Sep 17 00:00:00 2001 From: wxy Date: Sat, 31 Dec 2016 13:33:35 +0800 Subject: [PATCH 137/181] PUB:20161021 Getting started with Inkscape on Fedora @geekpi --- ...Getting started with Inkscape on Fedora.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) rename {translated/tech => published}/20161021 Getting started with Inkscape on Fedora.md (81%) diff --git a/translated/tech/20161021 Getting started with Inkscape on Fedora.md b/published/20161021 Getting started with Inkscape on Fedora.md similarity index 81% rename from translated/tech/20161021 Getting started with Inkscape on Fedora.md rename to published/20161021 Getting started with Inkscape on Fedora.md index 53d66d4833..99a1d40413 100644 --- a/translated/tech/20161021 Getting started with Inkscape on Fedora.md +++ b/published/20161021 Getting started with Inkscape on Fedora.md @@ -1,8 +1,9 @@ -### [Fedora 中使用 Inkscape 起步][2] +Fedora 中使用 Inkscape 起步 +============= - ![inkscape-gettingstarted](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gettingstarted-945x400.png) +![inkscape-gettingstarted](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-gettingstarted-945x400.png) -Inkscape 是一个流行的、功能齐全、免费和开源的矢量[图形编辑器][3],它已经在 Fedora 官方仓库中。它特别适合生成 [SVG 格式][4]的矢量图形。Inkscape 非常适于创建和操作图片和插图,以及创建图表和模拟用户界面。 +Inkscape 是一个流行的、功能齐全、自由而开源的矢量[图形编辑器][3],它已经在 Fedora 官方仓库中。它特别适合创作 [SVG 格式][4]的矢量图形。Inkscape 非常适于创建和操作图片和插图,以及创建图表和用户界面设计。 [ ![cyberscoty-landscape-800px](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/cyberscoty-landscape-800px.png) @@ -10,13 +11,13 @@ Inkscape 是一个流行的、功能齐全、免费和开源的矢量[图形编 *使用 inkscape 创建的[风车景色][1]的插图* -[官方网站的截图页][6]上有一些很好的例子,说明 Inkscape 可以做些什么。Fedora 杂志Fedora Magazine上的大多数精选图片也是使用 Inkscape 创建的,包括最近的精选图片: +[其官方网站的截图页][6]上有一些很好的例子,说明 Inkscape 可以做些什么。Fedora 杂志Fedora Magazine上的大多数精选图片也是使用 Inkscape 创建的,包括最近的精选图片: [ ![communty](https://cdn.fedoramagazine.org/wp-content/uploads/2016/09/communty.png) ][7] -*最近使用 Inkscape 创建的 Fedora 杂志精选图片* +*Fedora 杂志最近使用 Inkscape 创建的精选图片* ### 在 Fedora 上安装 Inkscape @@ -32,7 +33,7 @@ Inkscape 是一个流行的、功能齐全、免费和开源的矢量[图形编 sudo dnf install inkscape ``` -### (开始)深入 Inkscape +### (开始)深入 Inkscape 当第一次打开程序时,你会看到一个空白页面,并且有一组不同的工具栏。对于初学者,最重要的三个工具栏是:Toolbar、Tools Control Bar、 Colour Palette(调色板): @@ -43,13 +44,13 @@ sudo dnf install inkscape **Toolbar**提供了创建绘图的所有基本工具,包括以下工具: * 矩形工具:用于绘制矩形和正方形 -* 星/多边形(形状)工具 +* 星形/多边形(形状)工具 * 圆形工具:用于绘制椭圆和圆 * 文本工具:用于添加标签和其他文本 * 路径工具:用于创建或编辑更复杂或自定义的形状 * 选择工具:用于选择图形中的对象 -**Colour Palette** 提供了一种快速方式来设置当前选定对象的颜色。 **Tools Control Bar** 提供了工具栏中当前选定工具的所有设置。每次选择新工具时,Tools Control Bar 会变成该工具的设置: +**Colour Palette** 提供了一种设置当前选定对象的颜色的快速方式。 **Tools Control Bar** 提供了工具栏中当前选定工具的所有设置。每次选择新工具时,Tools Control Bar 会变成该工具的相应设置: [ ![](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-toolscontrolbar.gif) @@ -65,7 +66,7 @@ sudo dnf install inkscape ![inkscape-drawastar](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-drawastar.gif) ][12] -接下来,在 Toolbar 中实验一些其他形状工具,如矩形工具,螺旋工具和圆形工具。通过不同的设置,每个工具都可以创建一些独特的图形。 +接下来,可以在 Toolbar 中实验一些其他形状工具,如矩形工具,螺旋工具和圆形工具。通过不同的设置,每个工具都可以创建一些独特的图形。 ### 在绘图中选择并移动对象 From eda62b18e1312b1355836c94e8bc2c65655d5f59 Mon Sep 17 00:00:00 2001 From: xiaojin Date: Sat, 31 Dec 2016 14:53:02 +0800 Subject: [PATCH 138/181] Update 20161221 HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU .md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 申请翻译 --- .../20161221 HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU .md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161221 HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU .md b/sources/tech/20161221 HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU .md index 1f940eb530..df048c4700 100644 --- a/sources/tech/20161221 HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU .md +++ b/sources/tech/20161221 HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU .md @@ -1,3 +1,5 @@ +rusking translating + HOW TO INSTALL AND REMOVE SOFTWARE IN UBUNTU [COMPLETE GUIDE] ============================================================ From 31e6d50e8f70a9d2b130cab71776e72c326e6440 Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Sat, 31 Dec 2016 15:29:45 +0800 Subject: [PATCH 139/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E4=B8=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对中 --- translated/tech/20161028 Inkscape: Adding some colour.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/translated/tech/20161028 Inkscape: Adding some colour.md b/translated/tech/20161028 Inkscape: Adding some colour.md index aead9d6dfb..ffa6651aae 100644 --- a/translated/tech/20161028 Inkscape: Adding some colour.md +++ b/translated/tech/20161028 Inkscape: Adding some colour.md @@ -40,7 +40,7 @@ via: https://fedoramagazine.org/inkscape-adding-colour/ 作者:[Ryan Lerch][a] 译者:[geekpi](https://github.com/geekpi) -校对:[校对者ID](https://github.com/校对者ID) +校对:[jasminepeng](https://github.com/jasminepeng) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From 3cc5eb18b35d48b3d1ff5f6f6b1218d77be5624c Mon Sep 17 00:00:00 2001 From: Ezio Date: Sat, 31 Dec 2016 15:58:50 +0800 Subject: [PATCH 140/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E5=AE=8C=E6=88=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ... To Install The PyCharm Python In Linux.md | 30 ++++++++++--------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/translated/tech/20160921 How To Install The PyCharm Python In Linux.md b/translated/tech/20160921 How To Install The PyCharm Python In Linux.md index 3e1a84e2b9..576b0dc86c 100644 --- a/translated/tech/20160921 How To Install The PyCharm Python In Linux.md +++ b/translated/tech/20160921 How To Install The PyCharm Python In Linux.md @@ -4,37 +4,39 @@ ![][7] ### 简介 -Linux 经常被看成是一个远离外部世界,只有极客才会使用的操作系统,虽然这是一个误解,但事实上,如果你想开发软件,那么 Linux 系统能够为你提供一个很好的开发环境。 +Linux 经常被看成是一个远离外部世界,只有极客才会使用的操作系统,但是这是不准确的,如果你想开发软件,那么 Linux 能够为你提供一个非常棒的开发环境。 -刚开始学习编程的新手们经常会问这样一个问题:应该使用哪种语言?当涉及到 Linux 系统的时候,通常的选择是 C、C++、Python、Java、PHP、Perl 和 Ruby On Rails +刚开始学习编程的新手们经常会问这样一个问题:应该使用哪种语言?当涉及到 Linux 的时候,通常的选择是 C、C++、Python、Java、PHP、Perl 和 Ruby On Rails。 -Linux 系统的许多核心程序都是用 C 语言写的,但是如果离开 Linux 系统的世界, C 语言不再像其他语言比如 Java 和 Python 那么常用。 +Linux 系统的许多核心程序都是用 C 语言写的,但是在 Linux 系统之外的世界, C 语言不再像其他语言比如 Java 和 Python 那么常用。 -对于学习编程的人来说, Python 和 Java 都是不错的选择,因为它们是跨平台的,因此,你在 Linux 系统上写的程序在 Windows 系统和 Macs 系统上也能够很好的工作。 +对于学习编程的人来说, Python 和 Java 都是不错的选择,因为它们是跨平台的,因此,你在 Linux 系统上写的程序在 Windows 和 Mac 上也能够很好的运行。 -虽然你可以使用任何编辑器来开发 Python 程序,但是如果你使用一个同时包含编辑器和调试器的优秀集成开发环境(IDE)来进行开发,那么你的编程生涯将会变得更加轻松。 +虽然你可以使用任何编辑器来开发 Python 程序,但是如果你使用一个同时包含编辑器和调试器的优秀的集成开发环境(IDE)来进行开发,那么你的编程生活将会变得更加轻松。 -PyCharm 是由 Jetbrains 公司开发的一个跨平台编辑器。如果你之前是在 Windows 环境下进行开发,那么你会立刻认出 Jetbrains 公司,它就是那个开发了 Resharper 的公司。 Resharper 是一个用于重构代码的优秀产品,它能够指出代码可能存在的问题以及自动添加声明:比如当你在使用一个类的时候它会自动为你导入。 +PyCharm 是由 Jetbrains 公司开发的一个跨平台编辑器。如果你之前是在 Windows 环境下进行开发,那么你会立刻认出 Jetbrains 公司,它就是那个开发了 Resharper 的公司。 Resharper 是一个用于重构代码的优秀产品,它能够指出代码可能存在的问题,自动添加声明,比如当你在使用一个类的时候它会自动为你导入。 这篇文章将讨论如何在 Linux 系统上获取、安装和运行 PyCharm 。 ### 如何获取 PyCharm -你可以通过访问[这儿][1]获取 PyCharm 。屏幕中央有一个很大的 'Download' 按钮。 +你可以通过访问[https://www.jetbrains.com/pycharm/][1]获取 PyCharm 。 -你可以选择下载专业版或者社区版。如果你只是习惯于用 Python 编程那么推荐下载社区版。 +屏幕中央有一个很大的 'Download' 按钮。 + +你可以选择下载专业版或者社区版。如果你刚刚开始 Python 编程那么推荐你下载社区版。 然而,如果你打算进行专业化的编程,那么专业版的一些优秀特性是不容忽视的。 ### 如何安装 PyCharm -下载好的文件的名称可能是 ‘pycharm-professional-2016.2.3.tar.gz’。 +下载好的文件的名称可能类似这种样子 ‘pycharm-professional-2016.2.3.tar.gz’。 以 “tar.gz” 结尾的文件是被 [gzip][2] 工具压缩过的,并且用 [tar][3] 工具进行了归档从而保证文件夹结构在一个地方。 你可以阅读关于[提取 tar.gz 文件][4]指南的更多信息。 -加快节奏,为了解压文件,你需要做的是首先打开终端,然后通过下面的命令进入下载文件所在的文件夹: +加快速度,为了解压文件,你需要做的是首先打开终端,然后通过下面的命令进入下载文件所在的文件夹: ``` cd ~/Downloads @@ -82,15 +84,15 @@ PyCharm 是由 Jetbrains 公司开发的一个跨平台编辑器。如果你之 sh pycharm.sh & ``` -如果你是在一个桌面环境比如 GNOME、KDE、Unity、Cinnamon 或者其他现代桌面上运行,那么你也可以通过针对桌面环境的菜单或者快捷方式来找到 PyCharm 。 +如果你是在一个桌面环境比如 GNOME 、 KDE 、 Unity 、 Cinnamon 或者其他现代桌面环境上运行,你也可以通过桌面环境的菜单或者快捷方式来找到 PyCharm 。 ### 总结 现在, PyCharm 已经安装好了,你可以开始使用它来开发一个桌面应用、 web 应用和各种工具。 -如果你想学习如何使用 Python 编程,那么这儿有很好的[学习资源][5]值得一看。里面的文章更多的是关于 Linux 学习,但也有一些资源比如 Pluralsight 和 Udemy 提供了关于 Python 学习的一些很好的教程。 +如果你想学习如何使用 Python 编程,那么这里有很好的[学习资源][5]值得一看。里面的文章更多的是关于 Linux 学习,但也有一些资源比如 Pluralsight 和 Udemy 提供了关于 Python 学习的一些很好的教程。 -如果想了解 PyCharm 的所有可用特性,请点击[这儿][6]来查看。它覆盖了从创建项目到描述用户界面、调试以及代码重构的全部内容。 +如果想了解 PyCharm 的所有可用特性,请点击[这里][6]来查看。它覆盖了从创建项目到描述用户界面、调试以及重构代码的全部内容。 ----------------------------------------------------------------------------------------------------------- @@ -98,7 +100,7 @@ via: https://www.lifewire.com/how-to-install-the-pycharm-python-ide-in-linux-409 作者:[ Gary Newell][a] 译者:[ucasFL](https://github.com/ucasFL) -校对:[校对者ID](https://github.com/校对者ID) +校对:[oska874](https://github.com/oska874) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 From f3cb4aa6f23fd0f38d1cb987500421e08ab4477c Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Sat, 31 Dec 2016 16:12:19 +0800 Subject: [PATCH 141/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E5=AE=8C=E6=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对完毕 @geepi,翻得不错,谢谢 --- .../20161028 Inkscape: Adding some colour.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/translated/tech/20161028 Inkscape: Adding some colour.md b/translated/tech/20161028 Inkscape: Adding some colour.md index ffa6651aae..1016e77387 100644 --- a/translated/tech/20161028 Inkscape: Adding some colour.md +++ b/translated/tech/20161028 Inkscape: Adding some colour.md @@ -2,33 +2,33 @@ ![inkscape-addingcolour](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-addingcolour-945x400.png) -在我们先前的 Inkscape 文章中,[我们介绍了 Inkscape 的基础][2] - 安装,以及如何创建基本形状及操作它们。我们还介绍了使用 Palette 更改 inkscape 对象的颜色。 虽然 Palette 对于从预定义列表快速更改对象颜色非常有用,但大多数情况下,你需要更好地控制对象的颜色。这是我们使用 Inkscape 中最重要的对话框之一 - “Fill and Stroke” 对话框。 +在我们先前的 Inkscape 文章中,[我们介绍了 Inkscape 的基础][2] - 安装,以及如何创建基本形状及操作它们。我们还介绍了使用 Palette 更改 inkscape 对象的颜色。 虽然 Palette 对于从预定义列表快速更改对象颜色非常有用,但大多数情况下,你需要更好地控制对象的颜色。这是我们使用 Inkscape 中最重要的对话框之一 - 填充和轮廓Fill and Stroke 对话框。 -**关于文章中的动画的说明:**动画中的一些颜色看起来有条纹。这只是一个创建动画的方式。当你在 Inkscape 尝试时,你会看到很好的平滑渐变的颜色。 +**关于文章中的动画的说明:**动画中的一些颜色看起来有条纹。这只是动画创建导致的。当你在 Inkscape 尝试时,你会看到很好的平滑渐变的颜色。 -### 使用 Fill / Stroke 对话框 +### 使用 Fill/Stroke 对话框 -要在 Inkscape 中打开“ Fill and Stroke ”对话框,请从主菜单中选择 “Object”>“Fill and Stroke”。打开后,此对话框中的三个选项卡允许你检查和更改当前选定对象的填充颜色,描边颜色和描边样式。 +要在 Inkscape 中打开 “Fill and Stroke” 对话框,请从主菜单中选择 `Object`>`Fill and Stroke`。打开后,此对话框中的三个选项卡允许你检查和更改当前选定对象的填充颜色,描边颜色和描边样式。 - ![open-fillstroke](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/open-fillstroke.gif) +![open-fillstroke](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/open-fillstroke.gif) -在 Inkscape 中,Fill是给予对象主体主要颜色。对象的笔画是对象的可选轮廓。 对象的笔画还有其他样式 - 可在“笔触样式”选项卡中进行配置 - ,它允许您更改笔触的粗细,创建虚线轮廓或为笔触添加圆角。 在下面的动画中,我会改变星形的填充颜色,然后改变笔触颜色,并调整笔触的粗细: +在 Inkscape 中,Fill 用来给予对象主体主要颜色。对象的轮廓是可选择的,还有其他样式,可在轮廓样式Stroke style选项卡中进行配置,它允许您更改轮廓的粗细,创建虚线轮廓或为轮廓添加圆角。 在下面的动画中,我会改变星形的填充颜色,然后改变轮廓颜色,并调整轮廓的粗细: ![using-fillstroke](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/using-fillstroke.gif) -### 添加并编辑渐变 +### 添加并编辑渐变效果 -渐变也可以是对象的填充(或者描边)。要从 “Fill and Stroke” 对话框快速设置渐变填充,请先选择 “Fill” 选项卡,然后选择线性渐变选项: +渐变也可以是对象的填充(或者轮廓)。要从 “Fill and Stroke” 对话框快速设置渐变填充,请先选择 “Fill” 选项卡,然后选择线性渐变linear gradient 选项: ![create-gradient](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/create-gradient.gif) -要进一步编辑我们的渐变,我们需要使用专门的“Gradient Tool”。 从工具栏中选择“Gradient Tool”,会有一些额外的渐变编辑锚点将出现在你选择的形状上。 **移动锚点**将改变渐变的位置。 如果你**单击一个锚点**,您还可以在“Fill and Stroke”对话框中更改该锚点的颜色。 要**在渐变中添加新的锚点**,请双击连接锚点的线,然后会出现一个新的锚点。 +要进一步编辑我们的渐变,我们需要使用专门的渐变工具>Gradient Tool。 从工具栏中选择“Gradient Tool”,会有一些渐变编辑锚点出现在你选择的形状上。 **移动锚点**将改变渐变的位置。 如果你**单击一个锚点**,您还可以在“Fill and Stroke”对话框中更改该锚点的颜色。 要**在渐变中添加新的锚点**,请双击连接锚点的线,然后会出现一个新的锚点。 ![editing-gradient](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/editing-gradient.gif) * * * -这篇包括在 Inkscape 图纸中添加一些颜色和渐变的基础知识。 **“Fill and Stroke”** 对话框还有许多其他选项可供探索,如图案填充,不同的渐变样式和许多不同的笔触样式。另外,查看**工具控制栏** 的 **Gradient Tool** 中的其他选项,看看如何以不同的方式调整渐变。 +这篇文章介绍了在 Inkscape 图纸中添加一些颜色和渐变的基础知识。 **“Fill and Stroke”** 对话框还有许多其他选项可供探索,如图案填充,不同的渐变样式和许多不同的轮廓样式。另外,查看**工具控制栏Tools control bar** 的 **Gradient Tool** 中的其他选项,看看如何以不同的方式调整渐变。 ----------------------- From b913e5d078c60c1a01382068f1ebafb80bd5f05f Mon Sep 17 00:00:00 2001 From: jasminepeng Date: Sat, 31 Dec 2016 16:14:18 +0800 Subject: [PATCH 142/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E5=AE=8C=E6=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校对完毕 --- translated/tech/20161028 Inkscape: Adding some colour.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/translated/tech/20161028 Inkscape: Adding some colour.md b/translated/tech/20161028 Inkscape: Adding some colour.md index 1016e77387..5ff0dc2473 100644 --- a/translated/tech/20161028 Inkscape: Adding some colour.md +++ b/translated/tech/20161028 Inkscape: Adding some colour.md @@ -1,4 +1,4 @@ -### [Inkscape: 添加颜色][1] +## [Inkscape: 添加颜色][1] ![inkscape-addingcolour](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-addingcolour-945x400.png) @@ -22,7 +22,7 @@ ![create-gradient](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/create-gradient.gif) -要进一步编辑我们的渐变,我们需要使用专门的渐变工具>Gradient Tool。 从工具栏中选择“Gradient Tool”,会有一些渐变编辑锚点出现在你选择的形状上。 **移动锚点**将改变渐变的位置。 如果你**单击一个锚点**,您还可以在“Fill and Stroke”对话框中更改该锚点的颜色。 要**在渐变中添加新的锚点**,请双击连接锚点的线,然后会出现一个新的锚点。 +要进一步编辑我们的渐变,我们需要使用专门的渐变工具Gradient Tool。 从工具栏中选择“Gradient Tool”,会有一些渐变编辑锚点出现在你选择的形状上。 **移动锚点**将改变渐变的位置。 如果你**单击一个锚点**,您还可以在“Fill and Stroke”对话框中更改该锚点的颜色。 要**在渐变中添加新的锚点**,请双击连接锚点的线,然后会出现一个新的锚点。 ![editing-gradient](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/editing-gradient.gif) @@ -32,7 +32,7 @@ ----------------------- -作者简介:Ryan是一名 Fedora 设计师。他使用 Fedora Workstation 作为他的主要桌面,还有来自Libre Graphics 世界的最好的工具,尤其是矢量图形编辑器 Inkscape。 +作者简介:Ryan是一名 Fedora 设计师。他使用 Fedora Workstation 作为他的主要桌面,还有来自 Libre Graphics 世界的最好的工具,尤其是矢量图形编辑器 Inkscape。 -------------------------------------------------------------------------------- From 9a193150f257f40935483ebc141029abd0d582f5 Mon Sep 17 00:00:00 2001 From: Ezio Date: Sat, 31 Dec 2016 16:15:10 +0800 Subject: [PATCH 143/181] =?UTF-8?q?=E6=A0=A1=E5=AF=B9=E5=AE=8C=E6=88=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...heck if port is in use on Linux or Unix.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/translated/tech/20161110 How to check if port is in use on Linux or Unix.md b/translated/tech/20161110 How to check if port is in use on Linux or Unix.md index 8a83a45864..7d78b859e9 100644 --- a/translated/tech/20161110 How to check if port is in use on Linux or Unix.md +++ b/translated/tech/20161110 How to check if port is in use on Linux or Unix.md @@ -1,13 +1,13 @@ -如何在 \*nix 系统中验证端口是否被占用 +如何在 Linux/Unix 系统中验证端口是否被占用 ========== [![](https://s0.cyberciti.org/images/category/old/linux-logo.png)][1] 在 Linux 或者类 Unix 中,我该如何检查某个端口是否被占用?我又该如何验证 Linux 服务器中有哪些端口处于监听状态? -验证哪些端口在服务器的网络接口上处于监听状态是非常重要的。你需要注意那些用于监听指令的开放端口。暂且不说那些用于排除故障的指令,确认服务器上的某个端口是否被其他应用程序占用也是必要的。比方说,你可能会在同一个系统中安装了 Apache 和 Nginx 服务,所以了解是 Apache 还是 Nginx 占用 # 80/443 TCP端口真的很重要。本文会提及使用 netstat、nmap 和 lsof 命令来检查端口是否被占用以及查看程序使用了那些端口。 +验证哪些端口在服务器的网络接口上处于监听状态是非常重要的。你需要注意那些开放放端口来检测网络入侵。除了网络入侵,为了排除故障,确认服务器上的某个端口是否被其他应用程序占用也是必要的。比方说,你可能会在同一个系统中安装了 Apache 和 Nginx 服务器,所以了解是 Apache 还是 Nginx 占用 # 80/443 TCP端口真的很重要。这篇快速教程会介绍使用 netstat , nmap 和 lsof 命令来检查端口使用信息和找出那些程序正在使用这些端口。 -### 如何检查 Linux 中的监听端口和程序 +### 如何检查 Linux 中的程序和监听的端口 1. 打开一个终端,如 shell 命令窗口。 2. 运行一下任意一行命令: @@ -18,9 +18,9 @@ sudo nmap -sTU -O IP-address-Here ``` -下面我们看看这些命令输出的详细内容: +下面我们看看这些命令和他们的详细输出内容: -### 选择 #1:lsof 命令 +### 选项 #1:lsof 命令 语法如下: @@ -38,7 +38,7 @@ $ doas lsof -i -P -n | grep LISTEN 图 1:使用 lsof 命令检查监听端口和程序 -如上图输出的最后一行: +仔细看上面输出的最后一行: ``` sshd 85379 root 3u IPv4 0xffff80000039e000 0t0 TCP 10.86.128.138:22 (LISTEN) @@ -46,34 +46,34 @@ sshd 85379 root 3u IPv4 0xffff80000039e000 0t0 TCP 10.86.128.13 - sshd 是程序的名称 - 10.86.128.138 是 sshd 程序绑定监听 (LISTEN) 的 IP 地址 -- 22 是被占用 (LISTEN) 的 TCP 端口 -- 85379 是 sshd 进程的进程 ID (PID) +- 22 是被使用 (LISTEN) 的 TCP 端口 +- 85379 是 sshd 任务的进程 ID (PID) -### 选择 #2:netstat 命令 +### 选项 #2:netstat 命令 -netstat 命令检查监听端口和程序的用法如下: +你可以如下面所示使用 netstat 来检查坚挺的端口和程序。 -### Linux 中 netstat 语法如下: +### Linux 中 netstat 语法 ``` $ netstat -tulpn | grep LISTEN ``` -### FreeBSD/MacOS X 中 netstat 语法如下: +### FreeBSD/MacOS X 中 netstat 语法 ``` $ netstat -anp tcp | grep LISTEN $ netstat -anp udp | grep LISTEN ``` -### OpenBSD 中 netstat 语法如下: +### OpenBSD 中 netstat 语法 ``` $ netstat -na -f inet | grep LISTEN $ netstat -nat | grep LISTEN ``` -### 选择 #3:nmap 命令 +### 选项 #3:nmap 命令 语法如下: @@ -89,13 +89,13 @@ $ sudo nmap -sT -O 192.168.2.13 ##[ list open TCP ports ]## 图 2:使用 nmap 探测那些端口用于监听 TCP 连接 -你可以在单个命令中同时探测 TCP/UDP 连接: +一句命令合并 TCP/UDP 扫描: `$ sudo nmap -sTU -O 192.168.2.13` -### 关于 Windows 用户 +### 对于 Windows 用户 -你可以使用以下 Windows 自带的命令来检查端口的使用情况: +在windows 系统下可以使用下面的命令检查端口使用情况: ``` netstat -bano | more @@ -107,9 +107,9 @@ netstat -bano | findstr /R /C:"[LISTING]" via: https://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/ -作者:[ VIVEK GITE][a] +作者:[VIVEK GITE][a] 译者:[GHLandy](https://github.com/GHLandy) -校对:[校对者ID](https://github.com/校对者ID) +校对:[oska874](https://github.com/oska874) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From a058f353b814b82c5f044a3380220f1378e25ded Mon Sep 17 00:00:00 2001 From: wxy Date: Sat, 31 Dec 2016 17:41:05 +0800 Subject: [PATCH 144/181] PROOF:20160921 How To Install The PyCharm Python In Linux @ucasFL --- ... To Install The PyCharm Python In Linux.md | 79 +++++++++---------- 1 file changed, 37 insertions(+), 42 deletions(-) diff --git a/translated/tech/20160921 How To Install The PyCharm Python In Linux.md b/translated/tech/20160921 How To Install The PyCharm Python In Linux.md index 3e1a84e2b9..5538f543fc 100644 --- a/translated/tech/20160921 How To Install The PyCharm Python In Linux.md +++ b/translated/tech/20160921 How To Install The PyCharm Python In Linux.md @@ -1,18 +1,19 @@ -如何在 Linux 下安装 Python IDE - PyCharm +如何在 Linux 下安装 PyCharm ============================================ -![][7] +![](https://fthmb.tqn.com/ju1u-Ju56vYnXabPbsVRyopd72Q=/768x0/filters:no_upscale()/about/pycharmstart-57e2cb405f9b586c351a4cf7.png) + ### 简介 Linux 经常被看成是一个远离外部世界,只有极客才会使用的操作系统,虽然这是一个误解,但事实上,如果你想开发软件,那么 Linux 系统能够为你提供一个很好的开发环境。 -刚开始学习编程的新手们经常会问这样一个问题:应该使用哪种语言?当涉及到 Linux 系统的时候,通常的选择是 C、C++、Python、Java、PHP、Perl 和 Ruby On Rails +刚开始学习编程的新手们经常会问这样一个问题:应该使用哪种语言?当涉及到 Linux 系统的时候,通常的选择是 C、C++、Python、Java、PHP、Perl 和 Ruby On Rails。 -Linux 系统的许多核心程序都是用 C 语言写的,但是如果离开 Linux 系统的世界, C 语言不再像其他语言比如 Java 和 Python 那么常用。 +Linux 系统的许多核心程序都是用 C 语言写的,但是如果离开 Linux 系统的世界, C 语言就不如其它语言比如 Java 和 Python 那么常用。 -对于学习编程的人来说, Python 和 Java 都是不错的选择,因为它们是跨平台的,因此,你在 Linux 系统上写的程序在 Windows 系统和 Macs 系统上也能够很好的工作。 +对于学习编程的人来说, Python 和 Java 都是不错的选择,因为它们是跨平台的,因此,你在 Linux 系统上写的程序在 Windows 系统和 Mac 系统上也能够很好的工作。 -虽然你可以使用任何编辑器来开发 Python 程序,但是如果你使用一个同时包含编辑器和调试器的优秀集成开发环境(IDE)来进行开发,那么你的编程生涯将会变得更加轻松。 +虽然你可以使用任何编辑器来开发 Python 程序,但是如果你使用一个同时包含编辑器和调试器的优秀的集成开发环境(IDE)来进行开发,那么你的编程生涯将会变得更加轻松。 PyCharm 是由 Jetbrains 公司开发的一个跨平台编辑器。如果你之前是在 Windows 环境下进行开发,那么你会立刻认出 Jetbrains 公司,它就是那个开发了 Resharper 的公司。 Resharper 是一个用于重构代码的优秀产品,它能够指出代码可能存在的问题以及自动添加声明:比如当你在使用一个类的时候它会自动为你导入。 @@ -22,67 +23,61 @@ PyCharm 是由 Jetbrains 公司开发的一个跨平台编辑器。如果你之 你可以通过访问[这儿][1]获取 PyCharm 。屏幕中央有一个很大的 'Download' 按钮。 -你可以选择下载专业版或者社区版。如果你只是习惯于用 Python 编程那么推荐下载社区版。 - -然而,如果你打算进行专业化的编程,那么专业版的一些优秀特性是不容忽视的。 +你可以选择下载专业版或者社区版。如果你刚刚接触 Python 编程那么推荐下载社区版。然而,如果你打算发展到专业化的编程,那么专业版的一些优秀特性是不容忽视的。 ### 如何安装 PyCharm 下载好的文件的名称可能是 ‘pycharm-professional-2016.2.3.tar.gz’。 -以 “tar.gz” 结尾的文件是被 [gzip][2] 工具压缩过的,并且用 [tar][3] 工具进行了归档从而保证文件夹结构在一个地方。 - -你可以阅读关于[提取 tar.gz 文件][4]指南的更多信息。 +以 “tar.gz” 结尾的文件是被 [gzip][2] 工具压缩过的,并且把文件夹用 [tar][3] 工具归档到了一起。你可以阅读关于[提取 tar.gz 文件][4]指南的更多信息。 加快节奏,为了解压文件,你需要做的是首先打开终端,然后通过下面的命令进入下载文件所在的文件夹: - ``` - cd ~/Downloads - ``` +``` +cd ~/Downloads +``` 现在,通过运行下面的命令找到你下载的文件的名字: - ``` - ls pycharm* - ``` +``` +ls pycharm* +``` 然后运行下面的命令解压文件: - ``` - tar -xvzf pycharm-professional-2016.2.3.tar.gz -C ~ - ``` +``` +tar -xvzf pycharm-professional-2016.2.3.tar.gz -C ~ +``` -记得把上面命令中的文件名替换成通过 ‘ls’ 命令获知的 pycharm 文件名。(也就是你下载的文件的名字) - -上面的命令将会把 PyCharm 软件安装在 ‘home’ 目录中。 +记得把上面命令中的文件名替换成通过 `ls` 命令获知的 pycharm 文件名。(也就是你下载的文件的名字)。上面的命令将会把 PyCharm 软件安装在 `home` 目录中。 ### 如何运行 PyCharm -要运行 PyCharm, 首先需要进入 ‘home’ 目录: +要运行 PyCharm, 首先需要进入 `home` 目录: - ``` - cd ~ - ``` +``` +cd ~ +``` -运行 ‘ls’ 命令查找文件夹名: +运行 `ls` 命令查找文件夹名: - ``` - ls - ``` +``` +ls +``` 查找到文件名以后,运行下面的命令进入 PyCharm 目录: - ``` - cd pycharm-2016.2.3/bin - ``` +``` +cd pycharm-2016.2.3/bin +``` 最后,通过运行下面的命令来运行 PyCharm: - ``` - sh pycharm.sh & - ``` +``` +sh pycharm.sh & +``` -如果你是在一个桌面环境比如 GNOME、KDE、Unity、Cinnamon 或者其他现代桌面上运行,那么你也可以通过针对桌面环境的菜单或者快捷方式来找到 PyCharm 。 +如果你是在一个桌面环境比如 GNOME、KDE、Unity、Cinnamon 或者其他现代桌面上运行,那么你也可以通过桌面环境的菜单或者快捷方式来找到 PyCharm 。 ### 总结 @@ -90,15 +85,15 @@ PyCharm 是由 Jetbrains 公司开发的一个跨平台编辑器。如果你之 如果你想学习如何使用 Python 编程,那么这儿有很好的[学习资源][5]值得一看。里面的文章更多的是关于 Linux 学习,但也有一些资源比如 Pluralsight 和 Udemy 提供了关于 Python 学习的一些很好的教程。 -如果想了解 PyCharm 的所有可用特性,请点击[这儿][6]来查看。它覆盖了从创建项目到描述用户界面、调试以及代码重构的全部内容。 +如果想了解 PyCharm 的更多特性,请点击[这儿][6]来查看。它覆盖了从创建项目到描述用户界面、调试以及代码重构的全部内容。 ----------------------------------------------------------------------------------------------------------- via: https://www.lifewire.com/how-to-install-the-pycharm-python-ide-in-linux-4091033 -作者:[ Gary Newell][a] +作者:[Gary Newell][a] 译者:[ucasFL](https://github.com/ucasFL) -校对:[校对者ID](https://github.com/校对者ID) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 From b81b157e21a8eb1d1bb1cabc0fa9e24d74d1ab98 Mon Sep 17 00:00:00 2001 From: wxy Date: Sat, 31 Dec 2016 17:41:17 +0800 Subject: [PATCH 145/181] PUB:20160921 How To Install The PyCharm Python In Linux @ucasFL --- .../20160921 How To Install The PyCharm Python In Linux.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20160921 How To Install The PyCharm Python In Linux.md (100%) diff --git a/translated/tech/20160921 How To Install The PyCharm Python In Linux.md b/published/20160921 How To Install The PyCharm Python In Linux.md similarity index 100% rename from translated/tech/20160921 How To Install The PyCharm Python In Linux.md rename to published/20160921 How To Install The PyCharm Python In Linux.md From 2391ff188a61a2068a2bd9c9cf21e1deb5a128f3 Mon Sep 17 00:00:00 2001 From: wxy Date: Sat, 31 Dec 2016 21:15:43 +0800 Subject: [PATCH 146/181] PUB:20161110 How to check if port is in use on Linux or Unix @GHLandy --- ...heck if port is in use on Linux or Unix.md | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) rename {translated/tech => published}/20161110 How to check if port is in use on Linux or Unix.md (52%) diff --git a/translated/tech/20161110 How to check if port is in use on Linux or Unix.md b/published/20161110 How to check if port is in use on Linux or Unix.md similarity index 52% rename from translated/tech/20161110 How to check if port is in use on Linux or Unix.md rename to published/20161110 How to check if port is in use on Linux or Unix.md index 7d78b859e9..951cf2a490 100644 --- a/translated/tech/20161110 How to check if port is in use on Linux or Unix.md +++ b/published/20161110 How to check if port is in use on Linux or Unix.md @@ -5,38 +5,36 @@ 在 Linux 或者类 Unix 中,我该如何检查某个端口是否被占用?我又该如何验证 Linux 服务器中有哪些端口处于监听状态? -验证哪些端口在服务器的网络接口上处于监听状态是非常重要的。你需要注意那些开放放端口来检测网络入侵。除了网络入侵,为了排除故障,确认服务器上的某个端口是否被其他应用程序占用也是必要的。比方说,你可能会在同一个系统中安装了 Apache 和 Nginx 服务器,所以了解是 Apache 还是 Nginx 占用 # 80/443 TCP端口真的很重要。这篇快速教程会介绍使用 netstat , nmap 和 lsof 命令来检查端口使用信息和找出那些程序正在使用这些端口。 +验证哪些端口在服务器的网络接口上处于监听状态是非常重要的。你需要注意那些开放端口来检测网络入侵。除了网络入侵,为了排除故障,确认服务器上的某个端口是否被其他应用程序占用也是必要的。比方说,你可能会在同一个系统中安装了 Apache 和 Nginx 服务器,所以了解是 Apache 还是 Nginx 占用了 # 80/443 TCP 端口真的很重要。这篇快速教程会介绍使用 `netstat` 、 `nmap` 和 `lsof` 命令来检查端口使用信息并找出哪些程序正在使用这些端口。 ### 如何检查 Linux 中的程序和监听的端口 -1. 打开一个终端,如 shell 命令窗口。 -2. 运行一下任意一行命令: +1、 打开一个终端,如 shell 命令窗口。 +2、 运行以下任意一行命令: - ``` - sudo lsof -i -P -n | grep LISTEN - sudo netstat -tulpn | grep LISTEN - sudo nmap -sTU -O IP-address-Here - ``` +``` +sudo lsof -i -P -n | grep LISTEN +sudo netstat -tulpn | grep LISTEN +sudo nmap -sTU -O IP地址 +``` -下面我们看看这些命令和他们的详细输出内容: +下面我们看看这些命令和它们的详细输出内容: -### 选项 #1:lsof 命令 +### 方式 1:lsof 命令 语法如下: ``` $ sudo lsof -i -P -n $ sudo lsof -i -P -n | grep LISTEN -$ doas lsof -i -P -n | grep LISTEN +$ doas lsof -i -P -n | grep LISTEN ### OpenBSD ``` -### [OpenBSD] ### - 输出如下: [![Fig.01: Check the listening ports and applications with lsof command](https://s0.cyberciti.org/uploads/faq/2016/11/lsof-outputs.png)][2] -图 1:使用 lsof 命令检查监听端口和程序 +*图 1:使用 lsof 命令检查监听端口和程序* 仔细看上面输出的最后一行: @@ -44,58 +42,60 @@ $ doas lsof -i -P -n | grep LISTEN sshd 85379 root 3u IPv4 0xffff80000039e000 0t0 TCP 10.86.128.138:22 (LISTEN) ``` -- sshd 是程序的名称 -- 10.86.128.138 是 sshd 程序绑定监听 (LISTEN) 的 IP 地址 -- 22 是被使用 (LISTEN) 的 TCP 端口 -- 85379 是 sshd 任务的进程 ID (PID) +- `sshd` 是程序的名称 +- `10.86.128.138` 是 `sshd` 程序绑定 (LISTEN) 的 IP 地址 +- `22` 是被使用 (LISTEN) 的 TCP 端口 +- `85379` 是 `sshd` 任务的进程 ID (PID) -### 选项 #2:netstat 命令 +### 方式 2:netstat 命令 -你可以如下面所示使用 netstat 来检查坚挺的端口和程序。 +你可以如下面所示使用 `netstat` 来检查监听的端口和程序。 -### Linux 中 netstat 语法 +**Linux 中 netstat 语法** ``` $ netstat -tulpn | grep LISTEN ``` -### FreeBSD/MacOS X 中 netstat 语法 +**FreeBSD/MacOS X 中 netstat 语法** ``` $ netstat -anp tcp | grep LISTEN $ netstat -anp udp | grep LISTEN ``` -### OpenBSD 中 netstat 语法 +**OpenBSD 中 netstat 语法** ``` $ netstat -na -f inet | grep LISTEN $ netstat -nat | grep LISTEN ``` -### 选项 #3:nmap 命令 +### 方式 3:nmap 命令 语法如下: ``` $ sudo nmap -sT -O localhost -$ sudo nmap -sU -O 192.168.2.13 ##[ list open UDP ports ]## -$ sudo nmap -sT -O 192.168.2.13 ##[ list open TCP ports ]## +$ sudo nmap -sU -O 192.168.2.13 ### 列出打开的 UDP 端口 +$ sudo nmap -sT -O 192.168.2.13 ### 列出打开的 TCP 端口 ``` -输出如下: +示例输出如下: [![Fig.02: Determines which ports are listening for TCP connections using nmap](https://s0.cyberciti.org/uploads/faq/2016/11/nmap-outputs.png)][3] -图 2:使用 nmap 探测那些端口用于监听 TCP 连接 +*图 2:使用 nmap 探测哪些端口监听 TCP 连接* -一句命令合并 TCP/UDP 扫描: +你可以用一句命令合并 TCP/UDP 扫描: + +``` +$ sudo nmap -sTU -O 192.168.2.13 +``` -`$ sudo nmap -sTU -O 192.168.2.13` +### 赠品:对于 Windows 用户 -### 对于 Windows 用户 - -在windows 系统下可以使用下面的命令检查端口使用情况: +在 windows 系统下可以使用下面的命令检查端口使用情况: ``` netstat -bano | more From c0b450288cbe539aeb6de76c4d31853d090df137 Mon Sep 17 00:00:00 2001 From: wxy Date: Sat, 31 Dec 2016 21:37:55 +0800 Subject: [PATCH 147/181] PROOF:20161203 Redirect a Website URL from One Server to Different Server in Apache @geekpi --- ...ne Server to Different Server in Apache.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/translated/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md b/translated/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md index be65f0eb6e..f0b37fa394 100644 --- a/translated/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md +++ b/translated/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md @@ -1,29 +1,29 @@ -在Apache中重定向URL从一台服务器到另外一台服务器上 +如何在 Apache 中重定向 URL 到另外一台服务器 ============================================================ -如我们前面两篇文章([使用mod_rewrite执行内部重定向][1]和[基于浏览器显示自定义内容][2])中所承诺的,在本文中,我们将解释如何在Apache中使用mod_rewrite模块将已移动的资源重定向到不同服务器上。 +如我们前面两篇文章([使用 mod_rewrite 执行内部重定向][1]和[基于浏览器来显示自定义内容][2])中提到的,在本文中,我们将解释如何在 Apache 中使用 mod_rewrite 模块重定向对已移动到另外一台服务器上的资源的访问。 -假设你正在重新设计公司的网站。你已决定将内容和样式(HTML文件,JavaScript和CSS)存储在一个服务器上,将文档存储在另一个服务器上 - 这样可能会更稳健。 +假设你正在重新设计公司的网站。你已决定将内容和样式(HTML文件、JavaScript 和 CSS)存储在一个服务器上,将文档存储在另一个服务器上 - 这样可能会更稳健。 -**建议阅读:** [5个提高Apache Web服务器性能的提示][3] +**建议阅读:** [5 个提高 Apache Web 服务器性能的提示][3] 。 -但是,你希望这个更改对用户透明,以便他们仍然能够通过常用网址访问文档。 +但是,你希望这个更改对用户是透明的,以便他们仍然能够通过之前的网址访问文档。 -在下面的例子中,名为“assets.pdf”的文件已从192.168.0.100(主机名:web)中的/var/www /html移动到192.168.0.101(主机名:web2)中的相同位置。 +在下面的例子中,名为 `assets.pdf` 的文件已从 `192.168.0.100`(主机名:`web`)中的 `/var/www/html` 移动到`192.168.0.101`(主机名:`web2`)中的相同位置。 -为了让用户在浏览到“192.168.0.100/assets.pdf”时访问此文件,请打开192.168.0.100上的Apache配置文件并添加以下重写规则(或者也可以将以下规则添加到[.htaccess文件][4])中: +为了让用户在浏览到 `192.168.0.100/assets.pdf` 时可以访问到此文件,请打开 `192.168.0.100` 上的 Apache 配置文件并添加以下重写规则(或者也可以将以下规则添加到 [.htaccess 文件][4])中: ``` RewriteRule "^(/assets\.pdf$)" "http://192.168.0.101$1" [R,L] ``` -其中`$1`是与括号中的正则表达式匹配的任何内容的占位符。 +其中 `$1` 占位符,代表与括号中的正则表达式匹配的任何内容。 -现在保存更改,不要忘记重新启动Apache,让我们看看当我们打开192.168.0.100/assets.pdf,尝试访问assets.pdf时会发生什么: +现在保存更改,不要忘记重新启动 Apache,让我们看看当我们打开 `192.168.0.100/assets.pdf`,尝试访问 `assets.pdf` 时会发生什么: -**建议阅读:** [25有用的网站的'.htaccess'技巧] [5] +**建议阅读:** [25 个有用的网站 .htaccess 技巧] [5] -在下面我们就可以看到,为192.168.0.100上的assets.pdf所做的请求实际上是由192.168.0.101处理的。 +在下面我们就可以看到,为 `192.168.0.100` 上的 `assets.pdf` 所做的请求实际上是由 `192.168.0.101` 处理的。 ``` # tail -n 1 /var/log/apache2/access.log @@ -32,15 +32,15 @@ RewriteRule "^(/assets\.pdf$)" "http://192.168.0.101$1" [R,L] ![Check Apache Logs](http://www.tecmint.com/wp-content/uploads/2016/11/Check-Apache-Logs.png) ][6] -检查Apache日志 +*检查 Apache 日志* -在本文中,我们讨论了如何对已移动到其他服务器的资源进行重定向。 总而言之,我强烈建议你看看[mod_rewrite][7]指南和[Apache重定向指南][8],以供将来参考。 +在本文中,我们讨论了如何对已移动到其他服务器的资源进行重定向。 总而言之,我强烈建议你看看 [mod_rewrite][7] 指南和 [Apache 重定向指南][8],以供将来参考。 一如既往那样,如果您对本文有任何疑虑,请随时使用下面的评论栏回复。 我们期待你的回音! -------------------------------------------------------------------------------- -作者简介:Gabriel Cánepa是来自阿根廷圣路易斯Villa Mercedes的GNU/Linux系统管理员和Web开发人员。 他在一家全球领先的消费品公司工作,非常高兴使用FOSS工具来提高他日常工作领域的生产力。 +作者简介:Gabriel Cánepa 是来自阿根廷圣路易斯 Villa Mercedes 的 GNU/Linux 系统管理员和 Web 开发人员。 他在一家全球领先的消费品公司工作,非常高兴使用 FOSS 工具来提高他日常工作领域的生产力。 ----------- @@ -48,7 +48,7 @@ via: http://www.tecmint.com/redirect-website-url-from-one-server-to-different-se 作者:[Gabriel Cánepa][a] 译者:[geekpi](https://github.com/geekpi) -校对:[校对者ID](https://github.com/校对者ID) +校对:[wxy](https://github.com/wxy) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From 4f6e52f32973b7398fb1c15c5559384451d2d9e8 Mon Sep 17 00:00:00 2001 From: wxy Date: Sat, 31 Dec 2016 21:38:10 +0800 Subject: [PATCH 148/181] PUB:20161203 Redirect a Website URL from One Server to Different Server in Apache @geekpi --- ...a Website URL from One Server to Different Server in Apache.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {translated/tech => published}/20161203 Redirect a Website URL from One Server to Different Server in Apache.md (100%) diff --git a/translated/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md b/published/20161203 Redirect a Website URL from One Server to Different Server in Apache.md similarity index 100% rename from translated/tech/20161203 Redirect a Website URL from One Server to Different Server in Apache.md rename to published/20161203 Redirect a Website URL from One Server to Different Server in Apache.md From 513234f106e3fb77a374deb111e46c2d35788505 Mon Sep 17 00:00:00 2001 From: ivo-wang Date: Sat, 31 Dec 2016 23:25:33 +0800 Subject: [PATCH 149/181] translated --- ...ng Up Real-Time Monitoring with Ganglia.md | 233 ------------------ ...ng Up Real-Time Monitoring with Ganglia.md | 226 +++++++++++++++++ 2 files changed, 226 insertions(+), 233 deletions(-) delete mode 100644 sources/tech/20160610 Setting Up Real-Time Monitoring with Ganglia.md create mode 100755 translated/tech/20160610 Setting Up Real-Time Monitoring with Ganglia.md diff --git a/sources/tech/20160610 Setting Up Real-Time Monitoring with Ganglia.md b/sources/tech/20160610 Setting Up Real-Time Monitoring with Ganglia.md deleted file mode 100644 index 84a6d82d02..0000000000 --- a/sources/tech/20160610 Setting Up Real-Time Monitoring with Ganglia.md +++ /dev/null @@ -1,233 +0,0 @@ -ivo-wang translating -Setting Up Real-Time Monitoring with ‘Ganglia’ for Grids and Clusters of Linux Servers -=========== - - -Ever since system administrators have been in charge of managing servers and groups of machines, tools like monitoring applications have been their best friends. You will probably be familiar with tools like [Nagios][11], [Zabbix][10], [Icinga][9], and Centreon. While those are the heavyweights of monitoring, setting them up and fully taking advantage of their features may be somewhat difficult for new users. - -In this article we will introduce you to Ganglia, a monitoring system that is easily scalable and allows to view a wide variety of system metrics of Linux servers and clusters (plus graphs) in real time. - -[![Install Gangila Monitoring in Linux](http://www.tecmint.com/wp-content/uploads/2016/06/Install-Gangila-Monitoring-in-Linux.png)][8] - -Install Gangila Monitoring in Linux - -Ganglia lets you set up grids (locations) and clusters (groups of servers) for better organization. - -Thus, you can create a grid composed of all the machines in a remote environment, and then group those machines into smaller sets based on other criteria. - -In addition, Ganglia’s web interface is optimized for mobile devices, and also allows you to export data en `.csv`and `.json` formats. - -Our test environment will consist of a central CentOS 7 server (IP address 192.168.0.29) where we will install Ganglia, and an Ubuntu 14.04 machine (192.168.0.32), the box that we want to monitor through Ganglia’s web interface. - -Throughout this guide we will refer to the CentOS 7 system as the master node, and to the Ubuntu box as the monitored machine. - -### Installing and Configuring Ganglia - -To install the monitoring utilities in the the master node, follow these steps: - -#### 1. Enable the [EPEL repository][7] and then install Ganglia and related utilities from there: - ``` -# yum update && yum install epel-release -# yum install ganglia rrdtool ganglia-gmetad ganglia-gmond ganglia-web - ``` - -The packages installed in the step above along with ganglia, the application itself, perform the following functions: - - 1. `rrdtool`, the Round-Robin Database, is a tool that’s used to store and display the variation of data over time using graphs. - 2. `ganglia-gmetad` is the daemon that collects monitoring data from the hosts that you want to monitor. In those hosts and in the master node it is also necessary to install ganglia-gmond (the monitoring daemon itself): - 3. `ganglia-web` provides the web frontend where we will view the historical graphs and data about the monitored systems. - -#### 2. Set up authentication for the Ganglia web interface (/usr/share/ganglia). We will use basic authentication as provided by Apache. - - If you want to explore more advanced security mechanisms, refer to the [Authorization and Authentication][6]section of the Apache docs. - - To accomplish this goal, create a username and assign a password to access a resource protected by Apache. In this example, we will create a username called `adminganglia` and assign a password of our choosing, which will be stored in /etc/httpd/auth.basic (feel free to choose another directory and / or file name – as long as Apache has read permissions on those resources, you will be fine): - - ``` -# htpasswd -c /etc/httpd/auth.basic adminganglia - - ``` - - Enter the password for adminganglia twice before proceeding. - -#### 3. Modify /etc/httpd/conf.d/ganglia.conf as follows: - - ``` -Alias /ganglia /usr/share/ganglia - -AuthType basic -AuthName "Ganglia web UI" -AuthBasicProvider file -AuthUserFile "/etc/httpd/auth.basic" -Require user adminganglia - - - ``` - -#### 4. Edit /etc/ganglia/gmetad.conf: - - First, use the gridname directive followed by a descriptive name for the grid you’re setting up: - - ``` -gridname "Home office" - - ``` - - Then, use data_source followed by a descriptive name for the cluster (group of servers), a polling interval in seconds and the IP address of the master and monitored nodes: - - ``` -data_source "Labs" 60 192.168.0.29:8649 # Master node -data_source "Labs" 60 192.168.0.32 # Monitored node - - ``` - -#### 5. Edit /etc/ganglia/gmond.conf. - - a) Make sure the cluster block looks as follows: - - ``` -cluster { -name = "Labs" # The name in the data_source directive in gmetad.conf -owner = "unspecified" -latlong = "unspecified" -url = "unspecified" -} - - ``` - - b) In the udp_send_chanel block, comment out the mcast_join directive: - - ``` -udp_send_channel { -#mcast_join = 239.2.11.71 -host = localhost -port = 8649 -ttl = 1 -} - - ``` - - c) Finally, comment out the mcast_join and bind directives in the udp_recv_channel block: - - ``` -udp_recv_channel { -#mcast_join = 239.2.11.71 ## comment out -port = 8649 -#bind = 239.2.11.71 ## comment out -} - ``` - - Save the changes and exit. - -#### 6. Open port 8649/udp and allow PHP scripts (run via Apache) to connect to the network using the necessary SELinux boolean: - - ``` -# firewall-cmd --add-port=8649/udp -# firewall-cmd --add-port=8649/udp --permanent -# setsebool -P httpd_can_network_connect 1 - - ``` - -#### 7. Restart Apache, gmetad, and gmond. Also, make sure they are enabled to start on boot: - - ``` -# systemctl restart httpd gmetad gmond -# systemctl enable httpd gmetad httpd - - ``` - - At this point, you should be able to open the Ganglia web interface at `http://192.168.0.29/ganglia` and login with the credentials from #Step 2. - - [![Gangila Web Interface](http://www.tecmint.com/wp-content/uploads/2016/06/Gangila-Web-Interface.png)][5] - - Gangila Web Interface - -#### 8. In the Ubuntu host, we will only install ganglia-monitor, the equivalent of ganglia-gmond in CentOS: - -``` -$ sudo aptitude update && aptitude install ganglia-monitor - -``` - -#### 9. Edit the /etc/ganglia/gmond.conf file in the monitored box. This should be identical to the same file in the master node except that the commented out lines in the cluster, udp_send_channel, and udp_recv_channelshould be enabled: - -``` -cluster { -name = "Labs" # The name in the data_source directive in gmetad.conf -owner = "unspecified" -latlong = "unspecified" -url = "unspecified" -} -udp_send_channel { -mcast_join = 239.2.11.71 -host = localhost -port = 8649 -ttl = 1 -} -udp_recv_channel { -mcast_join = 239.2.11.71 ## comment out -port = 8649 -bind = 239.2.11.71 ## comment out -} - -``` - -Then, restart the service: - -``` -$ sudo service ganglia-monitor restart - -``` - -#### 10. Refresh the web interface and you should be able to view the statistics and graphs for both hosts inside the Home office grid / Labs cluster (use the dropdown menu next to to Home office grid to choose a cluster, Labsin our case): - -[![Ganglia Home Office Grid Report](http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Home-Office-Grid-Report.png)][4] - -Ganglia Home Office Grid Report - -Using the menu tabs (highlighted above) you can access lots of interesting information about each server individually and in groups. You can even compare the stats of all the servers in a cluster side by side using the Compare Hosts tab. - -Simply choose a group of servers using a regular expression and you will be able to see a quick comparison of how they are performing: - -[![Ganglia Host Server Information](http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Server-Information.png)][3] - -Ganglia Host Server Information - -One of the features I personally find most appealing is the mobile-friendly summary, which you can access using the Mobile tab. Choose the cluster you’re interested in and then the individual host: - -[![Ganglia Mobile Friendly Summary View](http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Mobile-View.png)][2] - -Ganglia Mobile Friendly Summary View - -### Summary - -In this article we have introduced Ganglia, a powerful and scalable monitoring solution for grids and clusters of servers. Feel free to install, explore, and play around with Ganglia as much as you like (by the way, you can even try out Ganglia in a demo provided in the project’s [official website][1]. - -While you’re at it, you will also discover that several well-known companies both in the IT world or not use Ganglia. There are plenty of good reasons for that besides the ones we have shared in this article, with easiness of use and graphs along with stats (it’s nice to put a face to the name, isn’t it?) probably being at the top. - -But don’t just take our word for it, try it out yourself and don’t hesitate to drop us a line using the comment form below if you have any questions. - --------------------------------------------------------------------------------- - -via: http://www.tecmint.com/install-configure-ganglia-monitoring-centos-linux/ - -作者:[Gabriel Cánepa][a] - -译者:[译者ID](https://github.com/译者ID) - -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: http://www.tecmint.com/author/gacanepa/ -[1]:http://ganglia.info/ -[2]:http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Mobile-View.png -[3]:http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Server-Information.png -[4]:http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Home-Office-Grid-Report.png -[5]:http://www.tecmint.com/wp-content/uploads/2016/06/Gangila-Web-Interface.png -[6]:http://httpd.apache.org/docs/current/howto/auth.html -[7]:http://www.tecmint.com/how-to-enable-epel-repository-for-rhel-centos-6-5/ -[8]:http://www.tecmint.com/wp-content/uploads/2016/06/Install-Gangila-Monitoring-in-Linux.png -[9]:http://www.tecmint.com/install-icinga-in-centos-7/ -[10]:http://www.tecmint.com/install-and-configure-zabbix-monitoring-on-debian-centos-rhel/ -[11]:http://www.tecmint.com/install-nagios-in-linux/ diff --git a/translated/tech/20160610 Setting Up Real-Time Monitoring with Ganglia.md b/translated/tech/20160610 Setting Up Real-Time Monitoring with Ganglia.md new file mode 100755 index 0000000000..999338d476 --- /dev/null +++ b/translated/tech/20160610 Setting Up Real-Time Monitoring with Ganglia.md @@ -0,0 +1,226 @@ +使用Ganglia来监控linux类型的网格和集群服务器 +=========== +自从SA接手服务和主机管理以后,监控类的工具就成了他们的好帮手。其中比较有名的有[Nagios][11], [Zabbix][10], [Icinga][9], 和 Centreon.以上这些重量级的监控工具,让一个新手SA来设置,并使用其中的高级特性是非常困难的。 +本文将向你介绍Ganglia,它是一个容易扩展配置的监控系统。它可以查看服务器中的各项性能指标,也可以实时图形化的展示集群配置。 +[![Install Gangila Monitoring in Linux](http://www.tecmint.com/wp-content/uploads/2016/06/Install-Gangila-Monitoring-in-Linux.png)][8] + +在Linux上安装Ganglia +Ganglia能够让集群和网格服务器更加容易管理。 +我们可以远程创建一个包含所有主机的网格配置,其中的成员主机可以使用模板设置。 + +此外Ganglia对移动设备进行过页面优化,排版非常人性化。当然你还可以导出`csv`和 `.json`格式的数据。 + +我们的测试环境包括一个安装Ganglia的主节点服务器CentOS7(IP 地址 192.168.0.29)和一个作为被监控端的Ubuntu 14.04主机 (192.168.0.32)。我们将通过Ganglia Web的页面来监控这台Ubuntu主机。 + +下面的例子可以给大家提供参考,CentOS7作为主节点,Ubuntu作为被监控对象。 + +### 安装和配置 Ganglia + +请遵循以下步骤在主节点服务器安装监控工具。 + +#### 1. 1. 使用yum源 [EPEL repository][7] ,然后安装 Ganglia和相关工具: +命令如下 + +``` +# yum update && yum install epel-release +# yum install ganglia rrdtool ganglia-gmetad ganglia-gmond ganglia-web +``` + +Ganglia将附加安装一些应用,它们的功能如下: + + 1. `rrdtool`, 轮询数据库,它是一个储存以及用图形化显示变化数据的工具 + 2. `ganglia-gmetad` 一个守护进程,用来收集被监控主机的数据。被监控主机与主节点主机都要安装Ganglia-gmond(监控守护进程自己) + 3. `ganglia-web` 提供Web前端用于显示监控系统的历史数据 + +#### 2. 使用Apache为Ganglia配置Web身份认证 + + 如果你想了解更多的高级认证机制,请参阅[Authorization and Authentication][6]选择Apache部分。 + + 为完成这部分的任务,我们需要用Apache来创建一个用户名和对应的密码,下面的例子我们先来创建一个叫`adminganglia`的用户名,然后给他分配一个密码,它将被储存在 /etc/httpd/auth.basic(如果随便选择根目录或其他Apache没有权限读取的目录,这项配置最终将会以失败告终。)  + +``` +# htpasswd -c /etc/httpd/auth.basic adminganglia + +``` + +给adminganglia添加密码,需要经过2次确认 + +#### 3. 修改配置文件 /etc/httpd/conf.d/ganglia.conf  + +``` +Alias /ganglia /usr/share/ganglia + +AuthType basic +AuthName "Ganglia web UI" +AuthBasicProvider file +AuthUserFile "/etc/httpd/auth.basic" +Require user adminganglia + + +``` + +#### 4. 编辑 /etc/ganglia/gmetad.conf: + + 首先, 使用gridname命令来设置集群的名称。 + +``` +gridname "Home office" + +``` + + 然后, 使用data_source命令根据集群的名称来设置主节点主机和被监控节点的轮询时间 + +``` +data_source "Labs" 60 192.168.0.29:8649 # Master node +data_source "Labs" 60 192.168.0.32 # Monitored node + +``` + +#### 5. 编辑 /etc/ganglia/gmond.conf. + + a)确保集群的配置和下面的一样。 + +``` +cluster { +name = "Labs" # The name in the data_source directive in gmetad.conf +owner = "unspecified" +latlong = "unspecified" +url = "unspecified" +} + +``` + + b) 在udp_send_chanel 中,注释掉 mcast_join directive: + +``` +udp_send_channel { +# mcast_join = 239.2.11.71 +host = localhost +port = 8649 +ttl = 1 +} + +``` + + c)在udp_recv_channel 中:注释掉mcast_join 和bind部分 + +``` +udp_recv_channel { +# mcast_join = 239.2.11.71 ## comment out +port = 8649 +# bind = 239.2.11.71 ## comment out +} +``` + + 保存并退出 + +#### 6.打开8649/udp端口,更改SELinux确保php脚本能够连接: + +``` +# firewall-cmd --add-port=8649/udp +# firewall-cmd --add-port=8649/udp --permanent +# setsebool -P httpd_can_network_connect 1 + +``` + +#### 7.重启Apache,gmetad,gmond并确保他们在开机启动里面。 + +``` +# systemctl restart httpd gmetad gmond +# systemctl enable httpd gmetad httpd + +``` + +至此,我们现在能够打开并登录Ganglia的Web页面 `http://192.168.0.29/ganglia`  + + [![Gangila Web Interface](http://www.tecmint.com/wp-content/uploads/2016/06/Gangila-Web-Interface.png)][5] + + Gangila Web Interface + +#### 8. 在Ubuntu上安装Ganglia-monitor: + +``` +$ sudo aptitude update && aptitude install ganglia-monitor + +``` + +#### 9. 编辑被监控主机的配置文件/etc/ganglia/gmond.conf,在主节点主机上也是相同的文件,注释掉网格里面不在线的主机。需要编辑udp_send_channel和udp_recv_channelshould这两项 + +``` +cluster { +name = "Labs" # The name in the data_source directive in gmetad.conf +owner = "unspecified" +latlong = "unspecified" +url = "unspecified" +} +udp_send_channel { +mcast_join = 239.2.11.71 +host = localhost +port = 8649 +ttl = 1 +} +udp_recv_channel { +mcast_join = 239.2.11.71 ## comment out +port = 8649 +bind = 239.2.11.71 ## comment out +} + +``` + +Then, restart the service: +之后重启服务 + +``` +$ sudo service ganglia-monitor restart + +``` + +#### 10. 刷新页面你将看到各种状态以及图形化的展示集群或网格的配置情况(用下拉菜单选择我们想查看的集群或网格): + +[![Ganglia Home Office Grid Report](http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Home-Office-Grid-Report.png)][4] + +Ganglia中网格的报告 + +使用菜单按钮你可以选择组里面的节点主机,这将非常容易的获取到你感兴趣的信息。可以使用对比选项来查看集群中所有主机的信息。 + +当然你也可以使用正则表达式来快速对比一组主机 + +[![Ganglia Host Server Information](http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Server-Information.png)][3] + +Ganglia Host Server Information + +One of the features I personally find most appealing is the mobile-friendly summary, which you can access using the Mobile tab. Choose the cluster you’re interested in and then the individual host: +能够使用移动设备管理,对于移动端有友好界面,这是一个非常吸引人的特点。在集群中选中一个主机,点击它。 + +[![Ganglia Mobile Friendly Summary View](http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Mobile-View.png)][2] + +Ganglia 移动端截图 +### 总结 + +本篇文章向大家介绍了Ganglia,他是一个功能强大扩展性很好的监控工具,主要用来监控集群和网格。它可以随意安装,便捷的组合各种功能(你甚至可以尝试一下官方提供的demo网站[official website][1])。 +此时你可能会发现许多知名的it企业或许并不使用Ganglia来监控作为监控工具。他们有自己更好的工具去实现,除了那些工具以外,我们这篇文章里面提到的Ganglia可能是最方便的图形化(在图示主机上显示对应的名字)工具。 +但是请不要拘泥于本篇文章,尝试一下自己去做,不必犹豫不敢尝试。如果你有任何问题也欢迎给我留言。 +-------------------------------------------------------------------------------- + +via: http://www.tecmint.com/install-configure-ganglia-monitoring-centos-linux/ + +作者:[Gabriel Cánepa][a] + +译者:[ivo-wang](https://github.com/ivo-wang) + +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: http://www.tecmint.com/author/gacanepa/ +[1]:http://ganglia.info/ +[2]:http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Mobile-View.png +[3]:http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Server-Information.png +[4]:http://www.tecmint.com/wp-content/uploads/2016/06/Ganglia-Home-Office-Grid-Report.png +[5]:http://www.tecmint.co m/wp-content/uploads/2016/06/Gangila-Web-Interface.png +[6]:http://httpd.apache.org/docs/current/howto/auth.html +[7]:http://www.tecmint.com/how-to-enable-epel-repository-for-rhel-centos-6-5/ +[8]:http://www.tecmint.com/wp-content/uploads/2016/06/ Install-Gangila-Monitoring-in-Linux.png +[9]:http://www.tecmint.com/install-icinga-in-centos-7/ +[10]:http://www.tecmint.com/install-and-configure-zabbix-monitoring-on-debian-centos-rhel/ +[11]:http://www.tecmint.com/install-nagios-in-linux/ From 420f7db5eafdc2dc7b934d50a5fbb150b89ea227 Mon Sep 17 00:00:00 2001 From: wxy Date: Sat, 31 Dec 2016 23:55:02 +0800 Subject: [PATCH 150/181] =?UTF-8?q?=E5=BD=92=E6=A1=A3=20201612?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 2016 再见~ --- ...160505 A daughter of Silicon Valley shares her 'nerd' story.md | 0 published/{ => 201612}/20160516 Securing Your Server.md | 0 ...ners and unikernels can learn from Arduino and Raspberry Pi.md | 0 .../20160615 Excel Filter and Edit - Demonstrated in Pandas.md | 0 published/{ => 201612}/20160627 Linux Practicality vs Activism.md | 0 ...uilding a Real-Time Recommendation Engine with Data Science.md | 0 ... Dependency Injection for the Android platform 101 - Part 1.md | 0 ...webpack with the Amazon Cognito Identity SDK for JavaScript.md | 0 .../20160913 The Five Principles of Monitoring Microservices.md | 0 ...tphones Do Away with the Headphone Jack Here Are Our Though.md | 0 .../20160921 How To Install The PyCharm Python In Linux.md | 0 .../{ => 201612}/20160923 PyCharm - The Best Linux Python IDE.md | 0 published/{ => 201612}/20161014 IS OPEN SOURCE DESIGN A THING.md | 0 ... Rock-Solid Lightning-Fast Lightweight Linux Distro For All.md | 0 ...017 How To Manually Backup Your SMS MMS Messages On Android.md | 0 ... Linux User Review Of Xubuntu 16.10 - A Good Place To Start.md | 0 .../20161021 Getting started with Inkscape on Fedora.md | 0 ...cal Security Patches to Ubuntu Linux Kernel Without Rebooting.md | 0 ...023 HOW TO SHARE STEAM GAME FILES BETWEEN LINUX AND WINDOWS.md | 0 published/{ => 201612}/20161024 Getting Started with Webpack 2.md | 0 .../20161026 24 MUST HAVE ESSENTIAL LINUX APPLICATIONS IN 2016.md | 0 .../20161026 Fedora-powered computer lab at our university.md | 0 published/{ => 201612}/20161027 DTrace for Linux 2016.md | 0 .../20161027 Would You Consider Riding in a Driverless Car.md | 0 .../{ => 201612}/20161030 I dont understand Pythons Asyncio.md | 0 published/{ => 201612}/20161102 5 Best FPS Games For Linux.md | 0 ...20161104 4 Easy Ways To Generate A Strong Password In Linux.md | 0 ...Install Security Updates Automatically on Debian and Ubuntu.md | 0 ...1110 4 Ways to Batch Convert Your PNG to JPG and Vice-Versa.md | 0 ...To Update Wifi Network Password From Terminal In Arch Linux.md | 0 .../20161110 How to check if port is in use on Linux or Unix.md | 0 ...tch – Shows Linux System Information with Distribution Logo.md | 0 ...Introduction to Eclipse Che a next-generation web-based IDE.md | 0 ...6 Fix Unable to lock the administration directory in Ubuntu.md | 0 ...ive Directory Infrastructure with Samba4 on Ubuntu – Part 1.md | 0 .../{ => 201612}/20161123 How to find a file on a Linux VPS.md | 0 .../20161124 Fedora 25 Workstation Installation Guide.md | 0 ...e Samba4 AD Infrastructure from Linux Command Line – Part 2.md | 0 ...t All Live Hosts IP Addresses Connected on Network in Linux.md | 0 ...SQL Server to Linux - Move from SQL Server to MySQL as well.md | 0 ...0161128 Uncommon-but-useful-GCC-command-line-options-part-1.md | 0 ...ecurity Patches or Updates Automatically on CentOS and RHEL.md | 0 published/{ => 201612}/20161130 Locking Down Your Linux Server.md | 0 .../2016118-How-To-Enable-Shell-Script-Debugging Mode in Linux.md | 0 .../{ => 201612}/20161201 3 open source password managers.md | 0 ...201 5 Ways to Empty or Delete a Large File Content in Linux.md | 0 .../20161201 How to Build an Email Server on Ubuntu Linux.md | 0 ...61201 Uncommon but useful GCC command line options - part 2.md | 0 ...pstat – A Curl Statistics Tool to Check Website Performance.md | 0 ...a Website URL from One Server to Different Server in Apache.md | 0 ...he Complete Guide to Flashing Factory Images Using Fastboot.md | 0 ...0161209 How to Copy a File to Multiple Directories in Linux.md | 0 ... to Perform Syntax Checking Debugging Mode in Shell Scripts.md | 0 ...2 Add Rainbow Colors to Linux Command Output in Slow Motion.md | 0 .../20161215 Building an Email Server on Ubuntu Linux - Part 2.md | 0 .../{ => 201612}/20161215 Installation of CentOS 7.3 Guide.md | 0 ...20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md | 0 .../Arch Linux In a world of polish, DIY never felt so good.md | 0 58 files changed, 0 insertions(+), 0 deletions(-) rename published/{ => 201612}/20160505 A daughter of Silicon Valley shares her 'nerd' story.md (100%) rename published/{ => 201612}/20160516 Securing Your Server.md (100%) rename published/{ => 201612}/20160525 What containers and unikernels can learn from Arduino and Raspberry Pi.md (100%) rename published/{ => 201612}/20160615 Excel Filter and Edit - Demonstrated in Pandas.md (100%) rename published/{ => 201612}/20160627 Linux Practicality vs Activism.md (100%) rename published/{ => 201612}/20160817 Building a Real-Time Recommendation Engine with Data Science.md (100%) rename published/{ => 201612}/20160817 Dependency Injection for the Android platform 101 - Part 1.md (100%) rename published/{ => 201612}/20160908 Using webpack with the Amazon Cognito Identity SDK for JavaScript.md (100%) rename published/{ => 201612}/20160913 The Five Principles of Monitoring Microservices.md (100%) rename published/{ => 201612}/20160915 Should Smartphones Do Away with the Headphone Jack Here Are Our Though.md (100%) rename published/{ => 201612}/20160921 How To Install The PyCharm Python In Linux.md (100%) rename published/{ => 201612}/20160923 PyCharm - The Best Linux Python IDE.md (100%) rename published/{ => 201612}/20161014 IS OPEN SOURCE DESIGN A THING.md (100%) rename published/{ => 201612}/20161014 WattOS - A Rock-Solid Lightning-Fast Lightweight Linux Distro For All.md (100%) rename published/{ => 201612}/20161017 How To Manually Backup Your SMS MMS Messages On Android.md (100%) rename published/{ => 201612}/20161018 An Everyday Linux User Review Of Xubuntu 16.10 - A Good Place To Start.md (100%) rename published/{ => 201612}/20161021 Getting started with Inkscape on Fedora.md (100%) rename published/{ => 201612}/20161021 Livepatch – Apply Critical Security Patches to Ubuntu Linux Kernel Without Rebooting.md (100%) rename published/{ => 201612}/20161023 HOW TO SHARE STEAM GAME FILES BETWEEN LINUX AND WINDOWS.md (100%) rename published/{ => 201612}/20161024 Getting Started with Webpack 2.md (100%) rename published/{ => 201612}/20161026 24 MUST HAVE ESSENTIAL LINUX APPLICATIONS IN 2016.md (100%) rename published/{ => 201612}/20161026 Fedora-powered computer lab at our university.md (100%) rename published/{ => 201612}/20161027 DTrace for Linux 2016.md (100%) rename published/{ => 201612}/20161027 Would You Consider Riding in a Driverless Car.md (100%) rename published/{ => 201612}/20161030 I dont understand Pythons Asyncio.md (100%) rename published/{ => 201612}/20161102 5 Best FPS Games For Linux.md (100%) rename published/{ => 201612}/20161104 4 Easy Ways To Generate A Strong Password In Linux.md (100%) rename published/{ => 201612}/20161105 How to Install Security Updates Automatically on Debian and Ubuntu.md (100%) rename published/{ => 201612}/20161110 4 Ways to Batch Convert Your PNG to JPG and Vice-Versa.md (100%) rename published/{ => 201612}/20161110 How To Update Wifi Network Password From Terminal In Arch Linux.md (100%) rename published/{ => 201612}/20161110 How to check if port is in use on Linux or Unix.md (100%) rename published/{ => 201612}/20161112 Neofetch – Shows Linux System Information with Distribution Logo.md (100%) rename published/{ => 201612}/20161114 Introduction to Eclipse Che a next-generation web-based IDE.md (100%) rename published/{ => 201612}/20161116 Fix Unable to lock the administration directory in Ubuntu.md (100%) rename published/{ => 201612}/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md (100%) rename published/{ => 201612}/20161123 How to find a file on a Linux VPS.md (100%) rename published/{ => 201612}/20161124 Fedora 25 Workstation Installation Guide.md (100%) rename published/{ => 201612}/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md (100%) rename published/{ => 201612}/20161126 Find Out All Live Hosts IP Addresses Connected on Network in Linux.md (100%) rename published/{ => 201612}/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md (100%) rename published/{ => 201612}/20161128 Uncommon-but-useful-GCC-command-line-options-part-1.md (100%) rename published/{ => 201612}/20161130 Install Security Patches or Updates Automatically on CentOS and RHEL.md (100%) rename published/{ => 201612}/20161130 Locking Down Your Linux Server.md (100%) rename published/{ => 201612}/2016118-How-To-Enable-Shell-Script-Debugging Mode in Linux.md (100%) rename published/{ => 201612}/20161201 3 open source password managers.md (100%) rename published/{ => 201612}/20161201 5 Ways to Empty or Delete a Large File Content in Linux.md (100%) rename published/{ => 201612}/20161201 How to Build an Email Server on Ubuntu Linux.md (100%) rename published/{ => 201612}/20161201 Uncommon but useful GCC command line options - part 2.md (100%) rename published/{ => 201612}/20161202 httpstat – A Curl Statistics Tool to Check Website Performance.md (100%) rename published/{ => 201612}/20161203 Redirect a Website URL from One Server to Different Server in Apache.md (100%) rename published/{ => 201612}/20161203 The Complete Guide to Flashing Factory Images Using Fastboot.md (100%) rename published/{ => 201612}/20161209 How to Copy a File to Multiple Directories in Linux.md (100%) rename published/{ => 201612}/20161210 How to Perform Syntax Checking Debugging Mode in Shell Scripts.md (100%) rename published/{ => 201612}/20161212 Add Rainbow Colors to Linux Command Output in Slow Motion.md (100%) rename published/{ => 201612}/20161215 Building an Email Server on Ubuntu Linux - Part 2.md (100%) rename published/{ => 201612}/20161215 Installation of CentOS 7.3 Guide.md (100%) rename published/{ => 201612}/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md (100%) rename published/{ => 201612}/Arch Linux In a world of polish, DIY never felt so good.md (100%) diff --git a/published/20160505 A daughter of Silicon Valley shares her 'nerd' story.md b/published/201612/20160505 A daughter of Silicon Valley shares her 'nerd' story.md similarity index 100% rename from published/20160505 A daughter of Silicon Valley shares her 'nerd' story.md rename to published/201612/20160505 A daughter of Silicon Valley shares her 'nerd' story.md diff --git a/published/20160516 Securing Your Server.md b/published/201612/20160516 Securing Your Server.md similarity index 100% rename from published/20160516 Securing Your Server.md rename to published/201612/20160516 Securing Your Server.md diff --git a/published/20160525 What containers and unikernels can learn from Arduino and Raspberry Pi.md b/published/201612/20160525 What containers and unikernels can learn from Arduino and Raspberry Pi.md similarity index 100% rename from published/20160525 What containers and unikernels can learn from Arduino and Raspberry Pi.md rename to published/201612/20160525 What containers and unikernels can learn from Arduino and Raspberry Pi.md diff --git a/published/20160615 Excel Filter and Edit - Demonstrated in Pandas.md b/published/201612/20160615 Excel Filter and Edit - Demonstrated in Pandas.md similarity index 100% rename from published/20160615 Excel Filter and Edit - Demonstrated in Pandas.md rename to published/201612/20160615 Excel Filter and Edit - Demonstrated in Pandas.md diff --git a/published/20160627 Linux Practicality vs Activism.md b/published/201612/20160627 Linux Practicality vs Activism.md similarity index 100% rename from published/20160627 Linux Practicality vs Activism.md rename to published/201612/20160627 Linux Practicality vs Activism.md diff --git a/published/20160817 Building a Real-Time Recommendation Engine with Data Science.md b/published/201612/20160817 Building a Real-Time Recommendation Engine with Data Science.md similarity index 100% rename from published/20160817 Building a Real-Time Recommendation Engine with Data Science.md rename to published/201612/20160817 Building a Real-Time Recommendation Engine with Data Science.md diff --git a/published/20160817 Dependency Injection for the Android platform 101 - Part 1.md b/published/201612/20160817 Dependency Injection for the Android platform 101 - Part 1.md similarity index 100% rename from published/20160817 Dependency Injection for the Android platform 101 - Part 1.md rename to published/201612/20160817 Dependency Injection for the Android platform 101 - Part 1.md diff --git a/published/20160908 Using webpack with the Amazon Cognito Identity SDK for JavaScript.md b/published/201612/20160908 Using webpack with the Amazon Cognito Identity SDK for JavaScript.md similarity index 100% rename from published/20160908 Using webpack with the Amazon Cognito Identity SDK for JavaScript.md rename to published/201612/20160908 Using webpack with the Amazon Cognito Identity SDK for JavaScript.md diff --git a/published/20160913 The Five Principles of Monitoring Microservices.md b/published/201612/20160913 The Five Principles of Monitoring Microservices.md similarity index 100% rename from published/20160913 The Five Principles of Monitoring Microservices.md rename to published/201612/20160913 The Five Principles of Monitoring Microservices.md diff --git a/published/20160915 Should Smartphones Do Away with the Headphone Jack Here Are Our Though.md b/published/201612/20160915 Should Smartphones Do Away with the Headphone Jack Here Are Our Though.md similarity index 100% rename from published/20160915 Should Smartphones Do Away with the Headphone Jack Here Are Our Though.md rename to published/201612/20160915 Should Smartphones Do Away with the Headphone Jack Here Are Our Though.md diff --git a/published/20160921 How To Install The PyCharm Python In Linux.md b/published/201612/20160921 How To Install The PyCharm Python In Linux.md similarity index 100% rename from published/20160921 How To Install The PyCharm Python In Linux.md rename to published/201612/20160921 How To Install The PyCharm Python In Linux.md diff --git a/published/20160923 PyCharm - The Best Linux Python IDE.md b/published/201612/20160923 PyCharm - The Best Linux Python IDE.md similarity index 100% rename from published/20160923 PyCharm - The Best Linux Python IDE.md rename to published/201612/20160923 PyCharm - The Best Linux Python IDE.md diff --git a/published/20161014 IS OPEN SOURCE DESIGN A THING.md b/published/201612/20161014 IS OPEN SOURCE DESIGN A THING.md similarity index 100% rename from published/20161014 IS OPEN SOURCE DESIGN A THING.md rename to published/201612/20161014 IS OPEN SOURCE DESIGN A THING.md diff --git a/published/20161014 WattOS - A Rock-Solid Lightning-Fast Lightweight Linux Distro For All.md b/published/201612/20161014 WattOS - A Rock-Solid Lightning-Fast Lightweight Linux Distro For All.md similarity index 100% rename from published/20161014 WattOS - A Rock-Solid Lightning-Fast Lightweight Linux Distro For All.md rename to published/201612/20161014 WattOS - A Rock-Solid Lightning-Fast Lightweight Linux Distro For All.md diff --git a/published/20161017 How To Manually Backup Your SMS MMS Messages On Android.md b/published/201612/20161017 How To Manually Backup Your SMS MMS Messages On Android.md similarity index 100% rename from published/20161017 How To Manually Backup Your SMS MMS Messages On Android.md rename to published/201612/20161017 How To Manually Backup Your SMS MMS Messages On Android.md diff --git a/published/20161018 An Everyday Linux User Review Of Xubuntu 16.10 - A Good Place To Start.md b/published/201612/20161018 An Everyday Linux User Review Of Xubuntu 16.10 - A Good Place To Start.md similarity index 100% rename from published/20161018 An Everyday Linux User Review Of Xubuntu 16.10 - A Good Place To Start.md rename to published/201612/20161018 An Everyday Linux User Review Of Xubuntu 16.10 - A Good Place To Start.md diff --git a/published/20161021 Getting started with Inkscape on Fedora.md b/published/201612/20161021 Getting started with Inkscape on Fedora.md similarity index 100% rename from published/20161021 Getting started with Inkscape on Fedora.md rename to published/201612/20161021 Getting started with Inkscape on Fedora.md diff --git a/published/20161021 Livepatch – Apply Critical Security Patches to Ubuntu Linux Kernel Without Rebooting.md b/published/201612/20161021 Livepatch – Apply Critical Security Patches to Ubuntu Linux Kernel Without Rebooting.md similarity index 100% rename from published/20161021 Livepatch – Apply Critical Security Patches to Ubuntu Linux Kernel Without Rebooting.md rename to published/201612/20161021 Livepatch – Apply Critical Security Patches to Ubuntu Linux Kernel Without Rebooting.md diff --git a/published/20161023 HOW TO SHARE STEAM GAME FILES BETWEEN LINUX AND WINDOWS.md b/published/201612/20161023 HOW TO SHARE STEAM GAME FILES BETWEEN LINUX AND WINDOWS.md similarity index 100% rename from published/20161023 HOW TO SHARE STEAM GAME FILES BETWEEN LINUX AND WINDOWS.md rename to published/201612/20161023 HOW TO SHARE STEAM GAME FILES BETWEEN LINUX AND WINDOWS.md diff --git a/published/20161024 Getting Started with Webpack 2.md b/published/201612/20161024 Getting Started with Webpack 2.md similarity index 100% rename from published/20161024 Getting Started with Webpack 2.md rename to published/201612/20161024 Getting Started with Webpack 2.md diff --git a/published/20161026 24 MUST HAVE ESSENTIAL LINUX APPLICATIONS IN 2016.md b/published/201612/20161026 24 MUST HAVE ESSENTIAL LINUX APPLICATIONS IN 2016.md similarity index 100% rename from published/20161026 24 MUST HAVE ESSENTIAL LINUX APPLICATIONS IN 2016.md rename to published/201612/20161026 24 MUST HAVE ESSENTIAL LINUX APPLICATIONS IN 2016.md diff --git a/published/20161026 Fedora-powered computer lab at our university.md b/published/201612/20161026 Fedora-powered computer lab at our university.md similarity index 100% rename from published/20161026 Fedora-powered computer lab at our university.md rename to published/201612/20161026 Fedora-powered computer lab at our university.md diff --git a/published/20161027 DTrace for Linux 2016.md b/published/201612/20161027 DTrace for Linux 2016.md similarity index 100% rename from published/20161027 DTrace for Linux 2016.md rename to published/201612/20161027 DTrace for Linux 2016.md diff --git a/published/20161027 Would You Consider Riding in a Driverless Car.md b/published/201612/20161027 Would You Consider Riding in a Driverless Car.md similarity index 100% rename from published/20161027 Would You Consider Riding in a Driverless Car.md rename to published/201612/20161027 Would You Consider Riding in a Driverless Car.md diff --git a/published/20161030 I dont understand Pythons Asyncio.md b/published/201612/20161030 I dont understand Pythons Asyncio.md similarity index 100% rename from published/20161030 I dont understand Pythons Asyncio.md rename to published/201612/20161030 I dont understand Pythons Asyncio.md diff --git a/published/20161102 5 Best FPS Games For Linux.md b/published/201612/20161102 5 Best FPS Games For Linux.md similarity index 100% rename from published/20161102 5 Best FPS Games For Linux.md rename to published/201612/20161102 5 Best FPS Games For Linux.md diff --git a/published/20161104 4 Easy Ways To Generate A Strong Password In Linux.md b/published/201612/20161104 4 Easy Ways To Generate A Strong Password In Linux.md similarity index 100% rename from published/20161104 4 Easy Ways To Generate A Strong Password In Linux.md rename to published/201612/20161104 4 Easy Ways To Generate A Strong Password In Linux.md diff --git a/published/20161105 How to Install Security Updates Automatically on Debian and Ubuntu.md b/published/201612/20161105 How to Install Security Updates Automatically on Debian and Ubuntu.md similarity index 100% rename from published/20161105 How to Install Security Updates Automatically on Debian and Ubuntu.md rename to published/201612/20161105 How to Install Security Updates Automatically on Debian and Ubuntu.md diff --git a/published/20161110 4 Ways to Batch Convert Your PNG to JPG and Vice-Versa.md b/published/201612/20161110 4 Ways to Batch Convert Your PNG to JPG and Vice-Versa.md similarity index 100% rename from published/20161110 4 Ways to Batch Convert Your PNG to JPG and Vice-Versa.md rename to published/201612/20161110 4 Ways to Batch Convert Your PNG to JPG and Vice-Versa.md diff --git a/published/20161110 How To Update Wifi Network Password From Terminal In Arch Linux.md b/published/201612/20161110 How To Update Wifi Network Password From Terminal In Arch Linux.md similarity index 100% rename from published/20161110 How To Update Wifi Network Password From Terminal In Arch Linux.md rename to published/201612/20161110 How To Update Wifi Network Password From Terminal In Arch Linux.md diff --git a/published/20161110 How to check if port is in use on Linux or Unix.md b/published/201612/20161110 How to check if port is in use on Linux or Unix.md similarity index 100% rename from published/20161110 How to check if port is in use on Linux or Unix.md rename to published/201612/20161110 How to check if port is in use on Linux or Unix.md diff --git a/published/20161112 Neofetch – Shows Linux System Information with Distribution Logo.md b/published/201612/20161112 Neofetch – Shows Linux System Information with Distribution Logo.md similarity index 100% rename from published/20161112 Neofetch – Shows Linux System Information with Distribution Logo.md rename to published/201612/20161112 Neofetch – Shows Linux System Information with Distribution Logo.md diff --git a/published/20161114 Introduction to Eclipse Che a next-generation web-based IDE.md b/published/201612/20161114 Introduction to Eclipse Che a next-generation web-based IDE.md similarity index 100% rename from published/20161114 Introduction to Eclipse Che a next-generation web-based IDE.md rename to published/201612/20161114 Introduction to Eclipse Che a next-generation web-based IDE.md diff --git a/published/20161116 Fix Unable to lock the administration directory in Ubuntu.md b/published/201612/20161116 Fix Unable to lock the administration directory in Ubuntu.md similarity index 100% rename from published/20161116 Fix Unable to lock the administration directory in Ubuntu.md rename to published/201612/20161116 Fix Unable to lock the administration directory in Ubuntu.md diff --git a/published/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md b/published/201612/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md similarity index 100% rename from published/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md rename to published/201612/20161121 Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1.md diff --git a/published/20161123 How to find a file on a Linux VPS.md b/published/201612/20161123 How to find a file on a Linux VPS.md similarity index 100% rename from published/20161123 How to find a file on a Linux VPS.md rename to published/201612/20161123 How to find a file on a Linux VPS.md diff --git a/published/20161124 Fedora 25 Workstation Installation Guide.md b/published/201612/20161124 Fedora 25 Workstation Installation Guide.md similarity index 100% rename from published/20161124 Fedora 25 Workstation Installation Guide.md rename to published/201612/20161124 Fedora 25 Workstation Installation Guide.md diff --git a/published/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md b/published/201612/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md similarity index 100% rename from published/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md rename to published/201612/20161124 How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2.md diff --git a/published/20161126 Find Out All Live Hosts IP Addresses Connected on Network in Linux.md b/published/201612/20161126 Find Out All Live Hosts IP Addresses Connected on Network in Linux.md similarity index 100% rename from published/20161126 Find Out All Live Hosts IP Addresses Connected on Network in Linux.md rename to published/201612/20161126 Find Out All Live Hosts IP Addresses Connected on Network in Linux.md diff --git a/published/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md b/published/201612/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md similarity index 100% rename from published/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md rename to published/201612/20161128 Moving with SQL Server to Linux - Move from SQL Server to MySQL as well.md diff --git a/published/20161128 Uncommon-but-useful-GCC-command-line-options-part-1.md b/published/201612/20161128 Uncommon-but-useful-GCC-command-line-options-part-1.md similarity index 100% rename from published/20161128 Uncommon-but-useful-GCC-command-line-options-part-1.md rename to published/201612/20161128 Uncommon-but-useful-GCC-command-line-options-part-1.md diff --git a/published/20161130 Install Security Patches or Updates Automatically on CentOS and RHEL.md b/published/201612/20161130 Install Security Patches or Updates Automatically on CentOS and RHEL.md similarity index 100% rename from published/20161130 Install Security Patches or Updates Automatically on CentOS and RHEL.md rename to published/201612/20161130 Install Security Patches or Updates Automatically on CentOS and RHEL.md diff --git a/published/20161130 Locking Down Your Linux Server.md b/published/201612/20161130 Locking Down Your Linux Server.md similarity index 100% rename from published/20161130 Locking Down Your Linux Server.md rename to published/201612/20161130 Locking Down Your Linux Server.md diff --git a/published/2016118-How-To-Enable-Shell-Script-Debugging Mode in Linux.md b/published/201612/2016118-How-To-Enable-Shell-Script-Debugging Mode in Linux.md similarity index 100% rename from published/2016118-How-To-Enable-Shell-Script-Debugging Mode in Linux.md rename to published/201612/2016118-How-To-Enable-Shell-Script-Debugging Mode in Linux.md diff --git a/published/20161201 3 open source password managers.md b/published/201612/20161201 3 open source password managers.md similarity index 100% rename from published/20161201 3 open source password managers.md rename to published/201612/20161201 3 open source password managers.md diff --git a/published/20161201 5 Ways to Empty or Delete a Large File Content in Linux.md b/published/201612/20161201 5 Ways to Empty or Delete a Large File Content in Linux.md similarity index 100% rename from published/20161201 5 Ways to Empty or Delete a Large File Content in Linux.md rename to published/201612/20161201 5 Ways to Empty or Delete a Large File Content in Linux.md diff --git a/published/20161201 How to Build an Email Server on Ubuntu Linux.md b/published/201612/20161201 How to Build an Email Server on Ubuntu Linux.md similarity index 100% rename from published/20161201 How to Build an Email Server on Ubuntu Linux.md rename to published/201612/20161201 How to Build an Email Server on Ubuntu Linux.md diff --git a/published/20161201 Uncommon but useful GCC command line options - part 2.md b/published/201612/20161201 Uncommon but useful GCC command line options - part 2.md similarity index 100% rename from published/20161201 Uncommon but useful GCC command line options - part 2.md rename to published/201612/20161201 Uncommon but useful GCC command line options - part 2.md diff --git a/published/20161202 httpstat – A Curl Statistics Tool to Check Website Performance.md b/published/201612/20161202 httpstat – A Curl Statistics Tool to Check Website Performance.md similarity index 100% rename from published/20161202 httpstat – A Curl Statistics Tool to Check Website Performance.md rename to published/201612/20161202 httpstat – A Curl Statistics Tool to Check Website Performance.md diff --git a/published/20161203 Redirect a Website URL from One Server to Different Server in Apache.md b/published/201612/20161203 Redirect a Website URL from One Server to Different Server in Apache.md similarity index 100% rename from published/20161203 Redirect a Website URL from One Server to Different Server in Apache.md rename to published/201612/20161203 Redirect a Website URL from One Server to Different Server in Apache.md diff --git a/published/20161203 The Complete Guide to Flashing Factory Images Using Fastboot.md b/published/201612/20161203 The Complete Guide to Flashing Factory Images Using Fastboot.md similarity index 100% rename from published/20161203 The Complete Guide to Flashing Factory Images Using Fastboot.md rename to published/201612/20161203 The Complete Guide to Flashing Factory Images Using Fastboot.md diff --git a/published/20161209 How to Copy a File to Multiple Directories in Linux.md b/published/201612/20161209 How to Copy a File to Multiple Directories in Linux.md similarity index 100% rename from published/20161209 How to Copy a File to Multiple Directories in Linux.md rename to published/201612/20161209 How to Copy a File to Multiple Directories in Linux.md diff --git a/published/20161210 How to Perform Syntax Checking Debugging Mode in Shell Scripts.md b/published/201612/20161210 How to Perform Syntax Checking Debugging Mode in Shell Scripts.md similarity index 100% rename from published/20161210 How to Perform Syntax Checking Debugging Mode in Shell Scripts.md rename to published/201612/20161210 How to Perform Syntax Checking Debugging Mode in Shell Scripts.md diff --git a/published/20161212 Add Rainbow Colors to Linux Command Output in Slow Motion.md b/published/201612/20161212 Add Rainbow Colors to Linux Command Output in Slow Motion.md similarity index 100% rename from published/20161212 Add Rainbow Colors to Linux Command Output in Slow Motion.md rename to published/201612/20161212 Add Rainbow Colors to Linux Command Output in Slow Motion.md diff --git a/published/20161215 Building an Email Server on Ubuntu Linux - Part 2.md b/published/201612/20161215 Building an Email Server on Ubuntu Linux - Part 2.md similarity index 100% rename from published/20161215 Building an Email Server on Ubuntu Linux - Part 2.md rename to published/201612/20161215 Building an Email Server on Ubuntu Linux - Part 2.md diff --git a/published/20161215 Installation of CentOS 7.3 Guide.md b/published/201612/20161215 Installation of CentOS 7.3 Guide.md similarity index 100% rename from published/20161215 Installation of CentOS 7.3 Guide.md rename to published/201612/20161215 Installation of CentOS 7.3 Guide.md diff --git a/published/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md b/published/201612/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md similarity index 100% rename from published/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md rename to published/201612/20161215 Installation of Red Hat Enterprise Linux 7.3 Guide.md diff --git a/published/Arch Linux In a world of polish, DIY never felt so good.md b/published/201612/Arch Linux In a world of polish, DIY never felt so good.md similarity index 100% rename from published/Arch Linux In a world of polish, DIY never felt so good.md rename to published/201612/Arch Linux In a world of polish, DIY never felt so good.md From c0e9c0516c1c52889e73fbf5a21c889951d17dbe Mon Sep 17 00:00:00 2001 From: erlinux Date: Sun, 1 Jan 2017 00:19:52 +0800 Subject: [PATCH 151/181] erlinux translated --- .../20161128 Managing devices in Linux.md | 173 ------------------ .../20161128 Managing devices in Linux.md | 172 +++++++++++++++++ 2 files changed, 172 insertions(+), 173 deletions(-) delete mode 100644 sources/tech/20161128 Managing devices in Linux.md create mode 100644 translated/tech/20161128 Managing devices in Linux.md diff --git a/sources/tech/20161128 Managing devices in Linux.md b/sources/tech/20161128 Managing devices in Linux.md deleted file mode 100644 index 09a5e7508d..0000000000 --- a/sources/tech/20161128 Managing devices in Linux.md +++ /dev/null @@ -1,173 +0,0 @@ -erlinux translate... - -Managing devices in Linux -============================================================ - ->Explore how the /dev directory gives you direct access to your devices in Linux. - - ![Managing devices in Linux](https://opensource.com/sites/default/files/styles/image-full-size/public/images/life/OSDC_Penguin_Image_520x292_12324207_0714_mm_v1a.png?itok=WfAkwbFy "Managing devices in Linux") - ->Image by :Opensource.com - -There are many interesting features of the Linux directory structure. This month I cover some fascinating aspects of the /dev directory. Before you proceed any further with this article, I suggest that, if you have not already done so, you read my earlier articles, _[Everything is a file][1]_, and _[An introduction to Linux filesystems][2]_, both of which introduce some interesting Linux filesystem concepts. Go ahead—I will wait. - -Great! Welcome back. Now we can proceed with a more detailed exploration of the /dev directory. - -### Device files - -Device files are also known as [device ][3][special files][4]. Device files are employed to provide the operating system and users an interface to the devices that they represent. All Linux device files are located in the /dev directory, which is an integral part of the root (/) filesystem because these device files must be available to the operating system during the boot process. - -One of the most important things to remember about these device files is that they are most definitely not device drivers. They are more accurately described as portals to the device drivers. Data is passed from an application or the operating system to the device file which then passes it to the device driver which then sends it to the physical device. The reverse data path is also used, from the physical device through the device driver, the device file, and then to an application or another device. - -Let's look at the data flow of a typical command to visualize this. - - ![dboth-dev-dir_0.png](https://opensource.com/sites/default/files/images/life-uploads/dboth-dev-dir_0.png) - -Figure 1: Simple data flow for a typical command. - -In Figure 1, above, a simplified data flow is shown for a common command. Issuing the **cat /etc/resolv.conf** command from a GUI terminal emulator such as Konsole or xterm causes the resolv.conf file to be read from the disk with the disk device driver handling the device specific functions such as locating the file on the hard drive and reading it. The data is passed through the device file and then from the command to the device file and device driver for pseudo-terminal 6 where it is displayed in the terminal session. - -Of course, the output of the **cat** command could have been redirected to a file in the following manner, **cat /etc/resolv.conf > /etc/resolv.bak** in order to create a backup of the file. In that case, the data flow on the left side of Figure 1 would remain the same while the data flow on the right would be through the /dev/sda2 device file, the hard drive device driver and then onto the hard drive itself. - -These device files make it very easy to use standard streams (STD/IO) and redirection to access any and every device on a Linux or Unix computer. Simply directing a data stream to a device file sends the data to that device. - -### Classification - -Device files can be classified in at least two ways. The first and most commonly used classification is that of the data stream commonly associated with the device. For example, tty (teletype) and serial devices are considered to be character based because the data stream is transferred and handled one character or byte at a time. Block type devices such as hard drives transfer data in blocks, typically a multiple of 256 bytes. - -If you have not already, go ahead and as a non-root user in a terminal session, change the present working directory (PWD) to /dev and display a long listing. This shows a list of device files with their file permissions and their major and minor identification numbers. For example, the following device files are just a few of the ones in the /dev/directory on my Fedora 24 workstation. They represent disk and tty type devices. Notice the leftmost character of each line in the output. The ones that have a "b" are block type devices and the ones that begin with "c" are character devices. - -``` -brw-rw----   1 root disk        8,   0 Nov  7 07:06 sda -brw-rw---- 1 root disk        8,   1 Nov  7 07:06 sda1 -brw-rw---- 1 root disk        8,  16 Nov  7 07:06 sdb -brw-rw---- 1 root disk        8,  17 Nov  7 07:06 sdb1 -brw-rw---- 1 root disk        8,  18 Nov  7 07:06 sdb2 -crw--w----  1 root tty         4,   0 Nov  7 07:06 tty0 -crw--w---- 1 root tty         4,   1 Nov  7 07:07 tty1 -crw--w---- 1 root tty         4,  10 Nov  7 07:06 tty10 -crw--w---- 1 root tty         4,  11 Nov  7 07:06 tty11 -``` - -The more detailed and explicit way to identify device files is using the device major and minor numbers. The disk devices have a major number of 8 which designates them as SCSI block devices. Note that all PATA and SATA hard drives have been managed by the SCSI subsystem because the old ATA subsystem was many years ago deemed as not maintainable due to the poor quality of its code. As a result, hard drives that would previously have been designated as "hd[a-z]" are now referred to as "sd[a-z]". - -You can probably infer the pattern of disk drive minor numbers in the small sample shown above. Minor numbers 0, 16, 32 and so on up through 240 are the whole disk numbers. So major/minor 8/16 represents the whole disk /dev/sdb and 8/17 is the device file for the first partition, /dev/sdb1\. Numbers 8/34 would be /dev/sdc2. - -The tty device files in the list above are numbered a bit more simply from tty0 through tty63. - -The [Linux Allocated Devices][5] file at Kernel.org is the official registry of device types and major and minor number allocations. It can help you understand the major/minor numbers for all currently defined devices. - -### Fun with device files - -Let's take a few minutes now and perform a couple fun experiments that will illustrate the power and flexibility of the Linux device files. Most Linux distributions have multiple virtual consoles, 1 through 7, that can be used to login to a local console session with a shell interface. These can be accessed using the key combinations Ctrl-Alt-F1 for console 1, Ctrl-Alt-F2 for console 2, and so on. - -Press Ctrl-Alt-F2 to switch to console 2\. On some distributions, the login information includes the tty device associated with this console, but many do not. It should be tty2 because you are in console 2. - -Log in as a non-root user. Then you can use the who am i command—yes, just like that, with spaces—to determine which tty device is connected to this console. - -Before we actually perform this experiment, look at a listing of the tty2 and tty3 devices in /dev. - -``` -ls -l /dev/tty[23] -``` - -There will be a large number of tty devices defined but we do not care about most of them, just the tty2 and tty3 devices. As device files, there is nothing special about them; they are simply character type devices. We will use these devices for this experiment. The tty2 device is attached to virtual console 2 and the tty3 device is attached to virtual console 3. - -Press Ctrl-Alt-F3 to switch to console 3\. Log in again as the same non-root user. Now enter the following command on console 3. - -``` -echo "Hello world" > /dev/tty2 -``` - -Press Ctrl-Alt-F2 to return to console 2\. The string "Hello world" (without quotes) is displayed in console 2. - -This experiment can also be performed with terminal emulators on the GUI desktop. Terminal sessions on the desktop use pseudo terminal devices in the /dev tree, such as /dev/pts/1\. Open two terminal sessions using Konsole or Xterm. Determine which pseudo-terminals they are connected to and use one to send a message to the other. - -Now continue the experiment by using the cat command to display the /etc/fstab file on a different terminal. - -Another interesting experiment is to print a file directly to the printer using the cat command. Assuming that your printer device is /dev/usb/lp0, and that your printer can print PDF files directly, the following command will print the PDF file test.pdf on your printer. - -``` -cat test.pdf > /dev/usb/lp0 -``` - -The /dev directory contains some very interesting device files that are portals to hardware that one does not normally think of as a device like a hard drive or display. For one example, system memory—RAM—is not something that is normally considered as a "device," yet /dev/mem is the portal through which direct access to memory can be achieved. The following example had some interesting results. - -``` -dd if=/dev/mem bs=2048 count=100 -``` - -The **dd** command above provides a bit more control than simply using the **cat**command to dump all of a system's memory. It provides the ability to specify how much data is read from /dev/mem and would also allow me to specify the point at which to start reading data from memory. Although some memory was read, the kernel responded with the following error that I found in /var/log/messages. - -``` -Nov 14 14:37:31 david kernel: usercopy: kernel memory exposure attempt detected from ffff9f78c0010000 (dma-kmalloc-512) (2048 bytes) -``` - -What this error means is that the kernel is doing its job by protecting memory that belongs to other processes which is exactly how it should work. So, although you can use /dev/mem to display data stored in RAM memory, access to most memory space is protected and will result in errors. Only that virtual memory which is assigned by the kernel memory manager to the BASH shell running the **dd** command should be accessible without causing an error. Sorry, but you cannot snoop in memory that does not belong to you unless you find a vulnerability to exploit. - -There are some other very interesting device files in /dev. The device files null, zero, random and urandom are not associated with any physical devices. - -For example, the null device /dev/null can be used as a target for the redirection of output from shell commands or programs so that they are not displayed on the terminal. I frequently use this in my BASH scripts to prevent users from being presented with output that might be confusing to them. The /dev/null device can be used to produce a string of null characters. Use the **dd** command as shown below to view some output from the /dev/null device file. - -``` -# dd if=/dev/null  bs=512 count=500 | od -c      -0+0 records in -0+0 records out -0 bytes copied, 1.5885e-05 s, 0.0 kB/s -0000000 -``` - -Note that there is really no visible output because null characters are nothing. Note the byte count. - -The /dev/random and /dev/urandom devices are also very interesting. As their names imply, they both produce random output—not just numbers but any and all byte combinations. The /dev/urandom device produces deterministic random output and is very fast. That means the output is determined by an algorithm and uses a seed string as a starting point. As a result it is possible, although very difficult, for a hacker to reproduce the output if the original seed is known. Use the command **cat /dev/urandom** to view typical output. You can use Ctrl-c to break out. - -The /dev/random device file produces non-deterministic random output but it produces output more slowly. This output is not determined by an algorithm that is dependent upon the previous number, but is generated in response to keystrokes and mouse movements. This method makes it far more difficult to duplicate a specific series of random numbers. Use the **cat **command to view some of the output from the /dev/random device file. Try moving the mouse to see how it affects the output. - -As its name implies, the /dev/zero device file produces an unending string of zeroes as output. Note that these are Octal zeroes and not the ASCII character zero (0). Use the **dd** command as shown below to view some output from the /dev/zero device file. - -``` -# dd if=/dev/zero  bs=512 count=500 | od -c -0000000  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0 -* -500+0 records in -500+0 records out -256000 bytes (256 kB, 250 KiB) copied, 0.00126996 s, 202 MB/s -0764000 -``` - -Note that the byte count for this command is non-zero. - -### Creating device files - -In the past, the device files in /dev were all created at installation time, resulting in a directory full of almost every possible device file, even though most would never be used. In the unlikely event that a new device file was needed or one was accidentally deleted and needed to be re-created, the **mknod** program was available to manually create device files. All you had to know was the device major and minor numbers. - -CentOS and RHEL 6 and 7, as well as all versions of Fedora going back to at least as far Fedora 15, use the newer method of creating the device files. All device files are created at boot time. This functionality is possible because the udev device manager detects addition and removal of devices as they occur. This allows for true dynamic plug-n-play functionality while the host is up and running. It also performs the same task at boot time by detecting all devices installed on the system very early in the boot process. [Linux.com][6] has a good [description of udev][7]. - -Going back to your listing of the files in /dev, notice the date and time on the files. All of them were created during the last boot. You can verify this using the **uptime**or **last** commands. In my device listing above, all of those files were created at 7:06 AM on November 7, which is the last time I booted the system. - -Of course, the **mknod** command is still available, but the new **MAKEDEV** (yes, in all uppercase—which in my opinion is contrary to the Linux philosophy of using all lowercase command names) command provides an easier interface for creating device files, should the need arise. The MAKEDEV command is not installed by default in current versions of Fedora or CentOS 7; it is installed in CentOS 6\. You can use YUM or DNF to install the MAKEDEV package. - -### Conclusion - -Interestingly enough, it had been a long time since I needed to create a device file. However, just recently I had an interesting situation where one of the device files I typically use was not created and I did have to create it. I have not had any problem with that device since. So a situation caused by a missing device file can still happen and knowing how to deal with it can be important. - -I have not covered many of the myriad different types of device files that you might encounter. That information is available in plenty of detail in the resources cited. I hope I have given you some basic understanding of how these files function and the tools to allow you to explore more on your own. - --------------------------------------------------------------------------------- - -via: https://opensource.com/article/16/11/managing-devices-linux - -作者:[David Both][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://opensource.com/users/dboth -[1]:https://opensource.com/life/15/9/everything-is-a-file -[2]:https://opensource.com/life/16/10/introduction-linux-filesystems -[3]:https://en.wikipedia.org/wiki/Device_file -[4]:https://en.wikipedia.org/wiki/Device_file -[5]:https://www.kernel.org/doc/Documentation/devices.txt -[6]:https://www.linux.com/ -[7]:https://www.linux.com/news/udev-introduction-device-management-modern-linux-system diff --git a/translated/tech/20161128 Managing devices in Linux.md b/translated/tech/20161128 Managing devices in Linux.md new file mode 100644 index 0000000000..9b5cba47ff --- /dev/null +++ b/translated/tech/20161128 Managing devices in Linux.md @@ -0,0 +1,172 @@ +### 在 Linux 中管理设备 + +探索如何使您直接访问到 Linux 中的 /dev 目录设备。 + +![Managing devices in Linux](https://opensource.com/sites/default/files/styles/image-full-size/public/images/life/OSDC_Penguin_Image_520x292_12324207_0714_mm_v1a.png itok=WfAkwbFy "Managing devices in Linux") + +> Image by :Opensource.com + +Linux 目录结构有很多有趣的功能,这个月我涉及(报导)了一些令人着迷的 /dev 目录。在继续这篇文章的任何操作之前,建议你看看我前面的文章。Linux 文件系统,一切皆为文件,这两个都介绍有趣的 Linux 文件系统概念。继续吗?我会等待。 + +太好了 !欢迎回来。现在我们可以继续进行更详尽地探讨 /dev 目录。 + +### 设备文件 + +设备文件也称为?驱动 ][3][special files][4]. 设备文件被操作系统用来代表提供给用户的设备接口。所有的 Linux 设备文件位于 /dev 目录,是根 (/) 文件系统的一个组成部分,因为这些设备文件要在操作系统启动过程中必须用到。 + +关于要记住这些设备文件最重要的事情之一是大多数没有明确的设备驱动。他们是更准确地描述为门户对设备驱动程序。数据从应用程序或操作系统传递到该设备文件,然后将它传递给设备驱动程序,再将它发给物理设备。反向数据通道也可以用,从物理设备通过设备驱动程序再到设备文件最后到达一个应用程序或其他设备。 + +让我们以一个可视化的典型命令看看这数据的流程。 + + ![dboth-dev-dir_0.png](https://opensource.com/sites/default/files/images/life-uploads/dboth-dev-dir_0.png) + +图1:典型命令的简单数据流。 + +在上面示出的图1中,显示一个简单命令的简化数据流程。**cat /etc/resolv.conf** 命令来自Konsole 或 xterm 终端仿真器解释 resolv.conf 文件从磁盘与磁盘设备驱动程序读取处理设备的具体功能。例如将文件定位在硬盘驱动器上并读取它。数据通过设备文件传递,然后命令终端会话中的显示位置从设备文件到设备驱动程序为 6 的伪终端。 + +当然,输出命令 **cat** 可以以下面的方式被重定向到一个文件 **cat /etc/resolv.conf > /etc/resolv.bak** 创建文件的备份。 + +在这种情况下,图 1 左侧的数据流量将保持不变而右边的数据流量将通过 /dev/sda2 设备文件,硬盘设备驱动程序,然后到硬驱动器本身。 + +这些设备文件使它使用标准流 (STD/IO) 和重定向访问Linux 或 Unix 计算机上的任何一个设备非常容易。只需将数据流定向到设备文件即可将数据发送到该设备。 + +### 设备文件类别 + +设备文件至少可以被分为两种方式。最常用的第一种分类通常是与设备相关联数据的数据流。比如,虚拟终端 (电报交换机) 并且串行设备被认为是基于字符的,因为数据流一次被传送和处理一个字符或字节。 块类型设备(如硬盘驱动器)以块为单位传输数据,通常为256个字节的倍数。 + +如果你还没有准备好继续前进,在终端会话一个非root用户,改变目前的工作目录(PWD)到 /dev 和显示的长目录列表。 这将显示设备文件列表及其文件权限及其主要和次要标识号。 例如,下面的设备文件只是 Fedora 24 工作站上 /dev 目录中的几个文件。 它们表示磁盘和tty设备类型。 注意输出中每行的最左边的字符。 具有“b”的是块类型设备,以“c”开头的是字符设备。 + +``` +brw-rw----   1 root disk        8,   0 Nov  7 07:06 sda +brw-rw---- 1 root disk        8,   1 Nov  7 07:06 sda1 +brw-rw---- 1 root disk        8,  16 Nov  7 07:06 sdb +brw-rw---- 1 root disk        8,  17 Nov  7 07:06 sdb1 +brw-rw---- 1 root disk        8,  18 Nov  7 07:06 sdb2 +crw--w----  1 root tty         4,   0 Nov  7 07:06 tty0 +crw--w---- 1 root tty         4,   1 Nov  7 07:07 tty1 +crw--w---- 1 root tty         4,  10 Nov  7 07:06 tty10 +crw--w---- 1 root tty         4,  11 Nov  7 07:06 tty11 +``` + +识别设备文件更详细和更明确的方法是使用设备主要以及次要码。 磁盘设备具有主数字8,其将它们指定为SCSI块设备。 请注意,所有PATA和SATA硬盘驱动器都由SCSI子系统管理,因为旧的ATA子系统多年前被认为是不可维护的,因为它的代码质量差。 造成的结果是,以前被称为“hd [a-z]”的硬盘驱动器现在被称为“sd [a-z]”。 + +你大概可以推断出磁盘驱动器次要设备号如上示例所示的模式。小数字 0、 16、 32 等等,通过 240 是整个磁盘号。所以主要/次要 8/16 表示整个磁盘 /dev/sdb 和 8/17 是 /dev/sdb1的第一个分区的设备文件。数字 8/34 将是 /dev/sdc2。 + +在上面列表中的tty设备文件是通过从tty0到tty63的编号更简单一些。 + +Kernel.org上的[Linux Allocated Devices][5]文件是设备类型和主要和次要编号分配的正式注册表。 它可以帮助您了解所有当前定义的设备的主要/次要号码。 + +### 设备文件乐趣 + +让我们花几分钟时间,执行几个有趣的,实验将说明Linux设备文件的强大和灵活性。 大多数Linux发行版都有1到7多个虚拟控制台,可用于使用shell接口登录到本地控制台会话。 可以使用Ctrl-Alt-F1(对于控制台1),Ctrl-Alt-F2(对于控制台2)等组合键可以访问这些。 + +请按 Ctrl-Alt-F2 切换到控制台 2。在某些发行版,登录信息包括与此控制台关联的tty设备,但许多人不知道。它应该是 tty2,因为你是在控制台 2 中。 + +以非root用户身份登录。 然后你可以使用谁是我的命令(译者注:就是命令“who”)。是的,就像这样,用空格来确定哪个tty设备连接到这个控制台。 + +在我们实际执行此实验之前,看看在 /dev中的 tty2 和 tty3 的设备列表 + +``` +ls -l /dev/tty[23] +``` + +将有大量的 tty 设备定义,但我们不关心他们中的大多数,只注意 tty2 和 tty3 上的设备。 作为设备文件,他们没什么特别之处。他们都只是字符类型设备。我们将使用这些设备进行此实验。 tty2设备连接到虚拟控制台2,tty3设备连接到虚拟控制台3。 + +按 Ctrl-Alt-f2 键以返回到控制台 2。字符串"Hello world"(没有引号) 将显示在控制台 2。 + +``` +echo "Hello world" > /dev/tty2 +``` + +该实验也可以使用GUI桌面上的终端仿真器来执行。 桌面上的终端会话在 /dev 中使用伪终端设备,如 /dev/pts/1。 使用 Konsole 或 Xterm 打开两个终端会话。 确定它们连接到哪些伪终端,并使用一个向另一个发送消息。 + +现在继续实验,使用 cat 命令在不同的终端上显示 /etc/fstab 文件。 + +另一个有趣的实验是使用cat命令将文件直接打印到打印机。 假设您的打印机设备是/ dev / usb / lp0,并且您的打印机可以直接打印PDF文件,以下命令将在您的打印机上打印PDF文件test.pdf。 + +``` +cat test.pdf > /dev/usb/lp0 +``` + +/dev目录包含一些非常有趣的设备文件,这些文件是硬件的入口,人们通常不认为这是硬盘驱动器或显示器之类的设备。 例如,系统存储器RAM不是通常被认为是“设备”的东西,而/ dev / mem是通过其可以实现对存储器的直接访问的门户。 下面的例子有一些有趣的结果。 + +``` +dd if=/dev/mem bs=2048 count=100 +``` + +The **dd** command above provides a bit more control than simply using the **cat**command to dump all of a system's memory. It provides the ability to specify how much data is read from /dev/mem and would also allow me to specify the point at which to start reading data from memory. Although some memory was read, the kernel responded with the following error that I found in /var/log/messages. + +上面的**dd**命令提供比简单地使用**cat**命令转储所有系统的内存提供了更多的控制。 它提供了指定从 /dev/mem 读取多少数据的能力,并且还允许我指定开始从存储器读取数据的点。 虽然一些内存被读取,内核响应我在 /var/log/messages中发现的以下错误 + +``` +Nov 14 14:37:31 david kernel: usercopy: kernel memory exposure attempt detected from ffff9f78c0010000 (dma-kmalloc-512) (2048 bytes) +``` + +这个错误意味着内核正在通过保护属于其他进程的内存来完成它的工作,这正是它应该工作的方式。 所以,虽然可以使用 /dev/mem 来显示存储在 RAM 内存中的数据,但是访问大多数内存空间是受保护的并且会导致错误。 只有由内核内存管理器分配给运行**dd**命令的BASH shell的虚拟内存才可以访问,而不会导致错误。 抱歉,但你不能在不属于你的内存监听,除非你发现了一个漏洞利用。 + +/dev中还有一些非常有趣的设备文件。 设备文件null,zero,random和urandom不与任何物理设备相关联。 + +例如,空设备/dev/null可以用作来自shell命令或程序的输出重定向的目标,以便它们不显示在终端上。 我经常在我的BASH脚本中使用这个,以防止向用户展示可能会让他们感到困惑的输出。(译者注:作者怕大家看不懂,解释了一下) /dev/null 设备可用于产生一个空字符串。 使用如下所示的dd命令查看/dev/null设备文件的一些输出。 + +``` +# dd if=/dev/null bs=512 count=500 | od -c +0+0 records in +0+0 records out +0 bytes copied, 1.5885e-05 s, 0.0 kB/s +0000000 +``` + +注意,因为空字符什么也没有所以确实没有可见的输出。 注意字节计数。 + +/ dev / random和/ dev / urandom设备也很有趣。 正如他们的名字所暗示的,它们都产生随机输出,而不仅仅是数字,而是任何和所有字节组合。 / dev / urandom设备产生确定性的随机输出并且非常快。 这意味着输出由算法确定,并使用种子字符串作为起点。 结果,如果原始种子是已知的,则黑客可以再现输出,尽管非常困难。 使用命令 **cat /dev/urandom** 可以查看典型输出. 你可以使用 Ctrl-c 去退出. + +/dev/random设备文件生成非确定性随机输出,但它产生的输出更慢。 该输出不是由依赖于先前数字的算法确定的,而是响应于击键和鼠标移动而产生的。 这种方法使得复制特定系列的随机数要困难得多。使用 **cat **命令去查看一些来自/dev/random 设备文件输出。尝试移动鼠标以查看它如何影响输出。 + +正如其名字所暗示的,/ dev / zero设备文件产生一个无止境的零字符串作为输出。 注意,这些是八进制零,而不是ASCII字符零(0)。 使用如下所示的 **dd** 查看/dev/zero设备文件中的一些输出 + +``` +# dd if=/dev/zero bs=512 count=500 | od -c +0000000 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 +* +500+0 records in +500+0 records out +256000 bytes (256 kB, 250 KiB) copied, 0.00126996 s, 202 MB/s +0764000 +``` + +请注意,此命令的字节计数不为零。 + +### 创建设备文件 + +在过去,在/dev 中的设备文件都是在安装时创建的,导致一个目录中可能几乎所有的设备文件,尽管大多数永远不会使用。 在不太可能发生的情况下,需要新的设备文件或意外删除并需要重新创建 **mknod** 程序可手动创建设备文件。 你必须知道的是设备主要和次要号码。 + +CentOS and RHEL 6 and 7, 以及Fedora的所有版本回到至少与Fedora 15一样,使用较新的创建设备文件的方法。 所有设备文件都是在引导时创建的。 此功能是可能的,因为udev设备管理器检测到设备的添加和删除发生时。 这允许在主机启动和运行时的真正的动态即插即用功能。 它还在引导时执行相同的任务,通过在引导过程的早期检测系统上安装的所有设备。 [Linux.com][6] 有很棒的 [udev 描述][7]. + +回到你在/ dev中的文件列表,注意文件的日期和时间。 所有这些都是在上次启动时创建的。 您可以使用验证**uptime** 或者 **last 命令。在上面的设备列表中,所有这些文件都是在11月7日上午7:06创建的,这是我最后一次启动系统。 + +当然, **mknod** 命令仍然可用, 但新的 **MAKEDEV** (是的,所有大写,在我看来是违背Linux哲学使用所有小写命令名) 命令提供了一个更容易的界面,用于创建设备文件,如果需要的话。 在当前版本的Fedora或CentOS 7中,默认情况下不安装MAKEDEV命令; 它安装在CentOS 6.您可以使用YUM或DNF来安装MAKEDEV包。 + +### 结尾 + +有趣的是,我需要创建一个设备文件已经很长时间了。 然而,最近我有一个有趣的情况,其中一个通常使用的设备文件没有创建,我不得不创建它。 我从来没有与该设备有任何问题。所以造成丢失的设备文件的情况仍然可以发生,知道如何处理它可能很重要。 + +我所没有涵盖的你可能会遇到的不同类型的设备文件。 这些信息在所引用的资源中有大量的细节信息是可用的。 我希望我已经给你一些基本的了解这些文件的功能和工具,让你自己探索更多。 + +-------------------------------------------------------------------------------- + +via: https://opensource.com/article/16/11/managing-devices-linux + +作者:[David Both][a] +译者:[erlinux](http://www.itxdm.me) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://opensource.com/users/dboth +[1]:https://opensource.com/life/15/9/everything-is-a-file +[2]:https://opensource.com/life/16/10/introduction-linux-filesystems +[3]:https://en.wikipedia.org/wiki/Device_file +[4]:https://en.wikipedia.org/wiki/Device_file +[5]:https://www.kernel.org/doc/Documentation/devices.txt +[6]:https://www.linux.com/ +[7]:https://www.linux.com/news/udev-introduction-device-management-modern-linux-system From d6cfce78475ddaac17868d56b5b30d4e52108ba2 Mon Sep 17 00:00:00 2001 From: alim0x Date: Sun, 1 Jan 2017 02:09:27 +0800 Subject: [PATCH 152/181] [translated] 29 - The history of Android --- .../29 - The (updated) history of Android.md | 227 ------------------ .../29 - The (updated) history of Android.md | 225 +++++++++++++++++ 2 files changed, 225 insertions(+), 227 deletions(-) delete mode 100644 sources/talk/The history of Android/29 - The (updated) history of Android.md create mode 100644 translated/talk/The history of Android/29 - The (updated) history of Android.md diff --git a/sources/talk/The history of Android/29 - The (updated) history of Android.md b/sources/talk/The history of Android/29 - The (updated) history of Android.md deleted file mode 100644 index 5c7b2fdb6f..0000000000 --- a/sources/talk/The history of Android/29 - The (updated) history of Android.md +++ /dev/null @@ -1,227 +0,0 @@ -alim0x translating - -The (updated) history of Android -============================================================ - -### Follow the endless iterations from Android 0.5 to Android 7 and beyond. - - -Google Search was literally everywhere in Lollipop. A new "always-on voice recognition" feature allowed users to say "OK Google" at any time, from any screen, even when the display was off. The Google app was still Google's primary home screen, a feature which debuted in KitKat. The search bar was now present on the new recent apps screen, too. - -Google Now was still the left-most home screen page, but now a Material Design revamp gave it headers with big bold colors and redesigned typography. - -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/play-store-1-150x150.jpg) - ][1] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/play2-150x150.jpg) - ][2] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/6-150x150.jpg) - ][3] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/5-150x150.jpg) - ][4] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/12-2-150x150.jpg) - ][5] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/14-1-150x150.jpg) - ][6] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/19-1-150x150.jpg) - ][7] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/13-2-150x150.jpg) - ][8] - -The Play Store followed a similar path to other Lollipop apps. There was a huge visual refresh with bold colors, new typography, and a fresh layout. It's rare that there's any additional functionality here, just a new coat of paint on everything. - -The Navigation panel for the Play Store could now actually be used for navigation, with entries for each section of the Play Store. Lollipop also typically did away with the overflow button in the action bar, instead deciding to go with a single action button (usually search) and dumping every extra option in the navigation bar. This gave users a single place to look for items instead of having to hunt through two different menus. - -Also new in Lollipop apps was the ability to make the status bar transparent. This allowed the action bar color to bleed right through the status bar, making the bar only slightly darker than the surrounding UI. Some interfaces even used a full-bleed hero image at the top of the screen, which would show through the status bar. - -[ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/2-1-980x481.jpg) -][38] - - -Google Calendar was completely re-written, gaining lots of new design touches and losing lots of features. You could no longer pinch zoom to adjust the time scale of views, month view was gone on phones, and week view regressed from a seven-day view to five days. Google would spend the next few versions re-adding some of these features after users complained. "Google Calendar" also doubled down on the "Google" by removing the ability to add third-party accounts directly in the app. Non-Google accounts would now need to be added via Gmail. - -It did look nice, though. In some views, the start of each month came with a header picture, just like a real paper calendar. Events with locations attached showed pictures from those locations. For instance, my "flight to San Francisco" displayed the Golden Gate Bridge. Google Calendar would also pull events out of Gmail and display them right on your calendar. - -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/7-150x150.jpg) - ][9] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/8-150x150.jpg) - ][10] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/12-150x150.jpg) - ][11] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/13-150x150.jpg) - ][12] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/3-1-150x150.jpg) - ][13] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/14-150x150.jpg) - ][14] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/6-2-150x150.jpg) - ][15] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/5-3-150x150.jpg) - ][16] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/7-2-150x150.jpg) - ][17] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/9-1-150x150.jpg) - ][18] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/10-1-150x150.jpg) - ][19] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/28-1-150x150.jpg) - ][20] - -Other apps all fell under pretty much the same description: not much in the way of new functionality, but big redesigns swapped out the greys of KitKat with bold, bright colors. Hangouts gained the ability to receive Google Voice SMSes, and the clock got a background color that changes with the time of day. - -#### Job Scheduler whips the app ecosystem into shape - -Google decided to focus on battery savings with Lollipop in a project it called "Project Volta." Google started creating more battery tracking tools for itself and developers, starting with the "Battery Historian." This python script took all of Android's battery logging data and spun it into a readable, interactive graph. With its new diagnostic equipment, Google flagged background tasks as a big consumer of battery. - -At I/O 2014, the company noted that enabling airplane mode and turning off the screen allowed an Android phone to run in standby for a month. However, if users enabled everything and started using the device, they wouldn't get through a single day. The takeaway was that if you could just get everything to stop doing stuff, your battery would do a lot better. - -As such, the company created a new API called "JobScheduler," the new traffic cop for background tasks on Android. Before Job Scheduler, every single app was responsible for its background processing, which meant every app would individually wake up the processor and modem, check for connectivity, organize databases, download updates, and upload logs. Everything had its own individual timer, so your phone would be woken up a lot. With JobScheduler, background tasks get batched up from an unorganized free-for-all into an orderly background processing window. - -JobScheduler lets apps specify conditions that their task needs (general connectivity, Wi-Fi, plugged into a wall outlet, etc), and it will send an announcement when those conditions are met. It's like the difference between push e-mail and checking for e-mail every five minutes... but with task requirements. Google also started pushing a "lazier" approach to background tasks. If something can wait until the device is on Wi-Fi, plugged-in, and idle, it should wait until then. You can see the results of this today when, on Wi-Fi, you can plug in an Android phone and only _then_ will it start downloading app updates. You don't instantly need to download app updates; it's best to wait until the user has unlimited power and data. - -#### Device setup gets future-proofed - -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/25-1-150x150.jpg) - ][21] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/26-150x150.jpg) - ][22] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/10/setup2-150x150.jpg) - ][23] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/10/setup3-150x150.jpg) - ][24] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/10/setup4-150x150.jpg) - ][25] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/10/setup5-150x150.jpg) - ][26] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/10/setup6-150x150.png) - ][27] - -Setup was overhauled to not just confirm to the Material Design guidelines, but it was also "future-proofed" so that it can handle any new login and authentication schemes Google cooks up in the future. Remember, part of the entire reasoning for writing "The History of Android" is that older versions of Android don't work anymore. Over the years, Google has upgraded its authentication schemes to use better encryption and two-factor authentication, but adding these new login requirements breaks compatibility with older clients. Lots of Android features require access to Google's cloud infrastructure, so when you can't log in, things like Gmail for Android 1.0 just don't work. - -In Lollipop, setup works much like it did before for the first few screens. You get a "welcome to Android screen" and options to set up cellular and Wi-Fi connectivity. Immediately after this screen, things changed though. As soon as Lollipop hit the internet, it pinged Google's servers to "check for updates." These weren't updates to the OS or to apps, but updates to the setup process about to run. After Android downloaded the newest version of setup, _then_ it asked you to log in with your Google account. - -The benefit of this is evident when trying to log into Lollipop and Kitkat today. Thanks to the updatable setup flow, the "2014" Lollipop OS can handle 2016 improvements, like Google's new "[tap to sign in][39]" 2FA method. KitKat chokes, but luckily it has a "web-browser sign-in" that can handle 2FA. - -Lollipop setup even takes the extreme stance of putting your Google e-mail and password on separate pages. [Google hates passwords][40] and has come up with several [experimental ways][41] to log into Google without one. If your account is setup to not have a password, Lollipop can just skip the password page. If you have a 2FA setup that uses a code, setup can slip the appropriate "enter 2FA code" page into the setup flow. Every piece of signing in is on a single page, so the setup flow is modular. Pages can be added and removed as needed. - -Setup also gave users control over app restoration. Android was doing some kind of data restoration previously to this, but it was impossible to understand because it just picked one of your devices without any user input and started restoring things. A new screen in the setup flow let users see their collection of device profiles in the cloud and pick the appropriate one. You could also choose which apps to restore from that backup. This backup was apps, your home screen layout, and a few minor settings like Wi-Fi hotspots. It wasn't a full app data backup. - -#### Settings - - -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/29-1-150x150.jpg) - ][28] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/settings-1-150x150.jpg) - ][29] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/2014-11-11-16.45.47-150x150.png) - ][30] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/battery-150x150.jpg) - ][31] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/user1-150x150.jpg) - ][32] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/users2-150x150.jpg) - ][33] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/30-1-150x150.jpg) - ][34] -* [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/31-150x150.jpg) - ][35] - -Setting swapped from a dark theme to a light one. Along with a new look, it got a handy search function. Every screen gave the user access to a magnifying glass, which let them more easily hunt down that elusive option. - -There were a few settings related to Project Volta. "Network Restrictions" allowed users to flag a Wi-Fi connection as metered, which would allow JobScheduler to avoid it for background processing. Also as part of Volta, a "Battery Saver" mode was added. This would limit background tasks and throttle down the CPU, which gave you a long lasting but very sluggish device. - -Multi-user support has been in Android tablets for a while, but Lollipop finally brought it down to Android phones. The settings screen added a new "users" page that let you add additional account or start up a "Guest" account. Guest accounts were temporary—they could be wiped out with a single tap. And unlike a normal account, it didn't try to download every app associated with your account, since it was destined to be wiped out soon. - --------------------------------------------------------------------------------- - -作者简介: - -Ron is the Reviews Editor at Ars Technica, where he specializes in Android OS and Google products. He is always on the hunt for a new gadget and loves to rip things apart to see how they work. - --------------------------------------------------------------------------------- - -via: http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/ - -作者:[RON AMADEO][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: http://arstechnica.com/author/ronamadeo -[1]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[2]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[3]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[4]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[5]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[6]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[7]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[8]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[9]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[10]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[11]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[12]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[13]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[14]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[15]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[16]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[17]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[18]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[19]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[20]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[21]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[22]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[23]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[24]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[25]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[26]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[27]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[28]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[29]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[30]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[31]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[32]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[33]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[34]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[35]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# -[36]:https://cdn.arstechnica.net/wp-content/uploads/2016/10/2-1.jpg -[37]:http://arstechnica.com/author/ronamadeo/ -[38]:https://cdn.arstechnica.net/wp-content/uploads/2016/10/2-1.jpg -[39]:http://arstechnica.com/gadgets/2016/06/googles-new-two-factor-authentication-system-tap-yes-to-log-in/ -[40]:https://www.theguardian.com/technology/2016/may/24/google-passwords-android -[41]:http://www.androidpolice.com/2015/12/22/google-appears-to-be-testing-a-new-way-to-log-into-your-account-on-other-devices-with-just-your-phone-no-password-needed/ diff --git a/translated/talk/The history of Android/29 - The (updated) history of Android.md b/translated/talk/The history of Android/29 - The (updated) history of Android.md new file mode 100644 index 0000000000..be378ae6d4 --- /dev/null +++ b/translated/talk/The history of Android/29 - The (updated) history of Android.md @@ -0,0 +1,225 @@ +安卓编年史 +============================================================ + +### 让我们跟着安卓从 0.5 版本到 7 的无尽迭代来看看它的发展历史。 + + +毫不夸张地说,谷歌搜索在棒棒糖中无处不在。“持续开启语音识别”这项特性让用户可以在任何界面随时说出“OK Google”,即时是在息屏状态也没有问题。谷歌应用依然是谷歌的首要主屏,这项特性是自奇巧时引入的。现在搜索栏也会显示在新的最近应用界面。 + +Google Now 依然是最左侧的主屏,但现在 Material Design 对它进行了大翻新,给了它一个色彩大胆的头部以及重新设计的排版。 + +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/play-store-1-150x150.jpg) + ][1] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/play2-150x150.jpg) + ][2] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/6-150x150.jpg) + ][3] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/5-150x150.jpg) + ][4] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/12-2-150x150.jpg) + ][5] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/14-1-150x150.jpg) + ][6] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/19-1-150x150.jpg) + ][7] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/13-2-150x150.jpg) + ][8] + +Play 商店遵从了和其它棒棒糖应用相似的轨迹。它在视觉上焕然疑一新,大胆的色彩,新排版,还有一个全新的布局。通常这里不会有什么新增功能,就只是给一切换件新马甲。 + +Play 商店的导航面板现在真的可以用于导航了,每个分类有各自的入口。棒棒糖也不再在操作栏放“更多”按钮了,取而代之的是一个独立的操作按钮(通常是搜索),并且去掉了导航栏中多余的选项。这给了用户一个单独的地方来查找项目,而不用在两个菜单中寻找搜索的地方。 + +棒棒糖还给了应用让状态栏透明的能力。这让操作栏的颜色可以渗透到状态栏,让它只比周围的界面暗一点点。一些界面甚至在顶部使用了全幅英雄图片,同时显示到了状态栏上。 + +[ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/2-1-980x481.jpg) +][38] + + +谷歌日历完全重写了,获得了很多新设计,也失去了很多特性。你不再能够双指缩放来调整时间视图,月份视图也从手机上消失了,周视图从七天退化成了五天的视图。在用户抱怨之后,谷歌将会花费接下来几个版本的时间来重新添加回这里面的一些特性。“谷歌日历”还加强了“谷歌”部分,去除了直接在应用内添加第三方账户的能力。非谷歌账户现在需要从 Gamil 来添加。 + +尽管如此,它看起来还是很棒。在一些视图上,月份开头带有头图,就像是真实的纸质日历。带有地点的事件会附带显示来自那个地点的照片。举个例子,我的“去往旧金山”会显示金门大桥。谷歌日历还会从 Gamil 获取事件并在你的日历中显示。 + +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/7-150x150.jpg) + ][9] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/8-150x150.jpg) + ][10] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/12-150x150.jpg) + ][11] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/13-150x150.jpg) + ][12] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/3-1-150x150.jpg) + ][13] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/14-150x150.jpg) + ][14] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/6-2-150x150.jpg) + ][15] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/5-3-150x150.jpg) + ][16] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/7-2-150x150.jpg) + ][17] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/9-1-150x150.jpg) + ][18] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/10-1-150x150.jpg) + ][19] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/28-1-150x150.jpg) + ][20] + +其它应用都可以套用基本相同的描述:功能上没有太多新鲜的,但新设计换掉了奇巧中的灰色以大胆,明亮的色彩。环聊获得了收取 Google Voice 信息的能力,时钟应用的背景颜色会随着每天时间的变化而改变。 + +#### 任务调度器鞭策应用生态成型 + +谷歌决定在棒棒糖中实施“伏特计划(Project Volta)”,关注电量使用问题。谷歌从“电池史学家(Battery Historian)”开始,为自己和开发者创建了更多的电池追踪工具。这个 python 脚本获取所有的安卓电量日志数据,并转换成可读,交互式的图表。在这个新诊断工具的帮助下,谷歌将后台任务标记为主要的耗电大户。 + +在 2014 年的 I/O 大会上,这家公司注意到启用飞行模式并关闭屏幕可以让安卓手机待机将近一个月。但是,如果用户全部启用并使用设备,它们没法坚持一整天。结论就是如果你能让一切都停止活动,你的电池表现就能好得多。 + +因此,谷歌创建了一个新 API,称作“JobScheduler(任务调度器)”,这是个新的针对安卓后台任务的警察。在任务调度器出现之前,每个单独的应用为它自己的后台进程负责,这意味着每个应用会独立唤醒处理器和调制解调器,检查连通性、组织数据库、下载更新以及上传日志。所有东西都有它自己独立的定时器,所以你的手机会一直被唤醒。有了任务调度器,后台任务从无组织的混乱,转变为统一的批处理,有有序的后台进程处理窗口。 + +任务调度器可以让应用指定它们的任务所需的条件(连通性、Wi-Fi、接入电源等等),它会在那些条件满足的时候发送一条通知。这就像是推送邮件和每五分钟检查一次邮件的区别……但是带上任务需求的。谷歌还开始给后台任务推进一个“懒”实现。如果一些事情可以推迟到设备处于 Wi-Fi,接入电源以及待机状态,那它就应该等到那时候执行。你现在可以看到这一策略的成果,在 Wi-Fi 下,你可以将安卓手机接入电源,并且只有在_这种条件下_它才会开始下载应用更新。你通常不需要立即下载应用更新,最好的时候是等到用户有无限的电源和网络的时候进行。 + +#### 开机设置获得面向未来的新设计 + +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/25-1-150x150.jpg) + ][21] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/26-150x150.jpg) + ][22] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/10/setup2-150x150.jpg) + ][23] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/10/setup3-150x150.jpg) + ][24] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/10/setup4-150x150.jpg) + ][25] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/10/setup5-150x150.jpg) + ][26] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/10/setup6-150x150.png) + ][27] + +开机设置经过了大翻新,它不止是为了跟上 Material Design 指南,还是“面向未来”的,这样不管未来谷歌采用什么新的登录和验证方案,它都能够适应。记住,写“安卓编年史”的部分原因就是一些旧版安卓已经不再能工作了。这些年来,谷歌已经为用户升级了更佳加密的验证方案以及二次验证,但添加这些新的登录要求破坏了旧客户端的兼容性。很多安卓特性要求访问谷歌云设施,所以你没法登录的话,像安卓 1.0 的 Gmail 这样的就没法工作了。 + +在棒棒糖中,开机设置工作的前几个界面和之前的很像。你可以看到“欢迎使用安卓界面”以及一些设置数据和 Wi-Fi 连接的选项。但在这个界面之后就有了变化。一旦棒棒糖连接到了互联网,它会连接到谷歌的服务器来“检查更新”。这并不是检查系统或应用的更新,是在检查即将执行的设置工作的更新。安卓下载了最新版本的设置,_然后_它会要求你登录你的谷歌账户。 + +在今天登录进棒棒糖和奇巧的时候这个好处很明显。有可以可升级的设置流程,“2014”的棒棒糖系统可以适应 2016 的改进,像是谷歌新的“[触碰登录][39]”双重认证。奇巧在这就卡住了,但幸运的是它有个“浏览器登录”可以解决双重认证的问题。 + +棒棒糖的开机设置对将你的谷歌账户和密码放在单独的页面持极端立场。[谷歌讨厌密码][40]并提供了一些[实验性的方式][40]来不用单独页面登录到谷歌。如果你的账户设置为不使用密码,棒棒糖可以跳过密码页面。如果你设置了双重认证,设置页面就会进入到“输入双因素码”的设置流程。每个登录部分都是在单独的一个页面,所以设置流程是模块化的。页面可以随要求添加或移除。 + +开机设置还给了用户对应用还原的控制。安卓在这之前也提供了一些数据还原,但那是无法理解的,因为它仅仅只是在没有任何用户输入的情况下选择你的一台设备并开始恢复。开机设置流程中的一个新界面让用户可以看到在云端的设备配置集合,并选择合适的那个。你还可以选择要从那个备份还原的应用。备份有应用,你的主屏布局,以及一些小设置如 Wi-Fi 热点。它不是完全的应用数据备份。 + +#### 设置 + + +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/29-1-150x150.jpg) + ][28] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/settings-1-150x150.jpg) + ][29] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/2014-11-11-16.45.47-150x150.png) + ][30] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/battery-150x150.jpg) + ][31] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/user1-150x150.jpg) + ][32] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/users2-150x150.jpg) + ][33] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/30-1-150x150.jpg) + ][34] +* [ + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/31-150x150.jpg) + ][35] + +设置从暗色主题切换到了亮色。除了新外观,它还有方便的搜索功能。每个界面用户都能访问放大镜,让他们可以更容易地找到难找的选项。 + +这里有一些和伏特计划有关的额设置。“网络限制”允许用户将一个 Wi-Fi 连接标记为计费的,让任务调度器处理后台处理时避免使用它。同时作为伏特计划的一部分,添加了一个“节电模式”。它会限制后台任务并限制 CPU 性能,给你更长的续航但更慢的设备。 + +多用户支持已经出现在安卓平板中有一段时间了,但棒棒糖终于将它带到了安卓手机上。设置界面添加了一个新的“用户”页面,让你添加额外的账户或设置一个“访客”账户。访客账户是临时的——它们可以一次点击轻松删除。它不会像正常账户那样尝试下载关联到你账户的每个应用,因为它注定要在不久后被删除。 + +-------------------------------------------------------------------------------- + +作者简介: + +Ron 是 Ars Technica 的评论编缉,专注于安卓系统和谷歌产品。他总是在追寻新鲜事物,还喜欢拆解事物看看它们到底是怎么运作的。 + +-------------------------------------------------------------------------------- + +via: http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/ + +作者:[RON AMADEO][a] +译者:[alim0x](https://github.com/alim0x) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: http://arstechnica.com/author/ronamadeo +[1]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[2]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[3]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[4]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[5]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[6]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[7]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[8]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[9]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[10]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[11]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[12]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[13]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[14]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[15]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[16]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[17]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[18]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[19]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[20]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[21]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[22]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[23]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[24]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[25]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[26]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[27]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[28]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[29]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[30]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[31]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[32]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[33]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[34]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[35]:http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/29/# +[36]:https://cdn.arstechnica.net/wp-content/uploads/2016/10/2-1.jpg +[37]:http://arstechnica.com/author/ronamadeo/ +[38]:https://cdn.arstechnica.net/wp-content/uploads/2016/10/2-1.jpg +[39]:http://arstechnica.com/gadgets/2016/06/googles-new-two-factor-authentication-system-tap-yes-to-log-in/ +[40]:https://www.theguardian.com/technology/2016/may/24/google-passwords-android +[41]:http://www.androidpolice.com/2015/12/22/google-appears-to-be-testing-a-new-way-to-log-into-your-account-on-other-devices-with-just-your-phone-no-password-needed/ From da9060d4af577ed5b59d7a460eb67da0d5523335 Mon Sep 17 00:00:00 2001 From: Jinwen Zhang Date: Sun, 1 Jan 2017 15:37:31 +0800 Subject: [PATCH 153/181] wcnnbdk1 translating 20161103 Perl and the birth of the dynamic web.md --- sources/tech/20161103 Perl and the birth of the dynamic web.md | 1 + 1 file changed, 1 insertion(+) diff --git a/sources/tech/20161103 Perl and the birth of the dynamic web.md b/sources/tech/20161103 Perl and the birth of the dynamic web.md index e69126e365..1df6477fd8 100644 --- a/sources/tech/20161103 Perl and the birth of the dynamic web.md +++ b/sources/tech/20161103 Perl and the birth of the dynamic web.md @@ -1,3 +1,4 @@ +wcnnbdk1 translating # Perl and the birth of the dynamic web >The fascinating story of Perl's role in the dynamic web spans newsgroups and mailing lists, computer science labs, and continents. From f7398abf9729fd32596d3177ec31ec3929a05c8a Mon Sep 17 00:00:00 2001 From: alim0x Date: Sun, 1 Jan 2017 16:31:26 +0800 Subject: [PATCH 154/181] [translating] 30 - The history of Android --- .../30 - The (updated) history of Android.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/talk/The history of Android/30 - The (updated) history of Android.md b/sources/talk/The history of Android/30 - The (updated) history of Android.md index 6454f3f054..361e7f0f49 100644 --- a/sources/talk/The history of Android/30 - The (updated) history of Android.md +++ b/sources/talk/The history of Android/30 - The (updated) history of Android.md @@ -1,3 +1,5 @@ +alim0x translating + The (updated) history of Android ============================================================ From b0e29d38aa76c980c952584ccced5ff1915961d7 Mon Sep 17 00:00:00 2001 From: "Cathon.ZHD" Date: Sun, 1 Jan 2017 16:59:38 +0800 Subject: [PATCH 155/181] Cathon is Translating 'What is Docker' --- sources/tech/20160510 What is Docker.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20160510 What is Docker.md b/sources/tech/20160510 What is Docker.md index d56d30e381..637dac66d1 100644 --- a/sources/tech/20160510 What is Docker.md +++ b/sources/tech/20160510 What is Docker.md @@ -1,3 +1,5 @@ +Cathon is translating--- + What is Docker? ================ From 8c530c6fc6df0b97f21c4d2b8282c620a3ceb37f Mon Sep 17 00:00:00 2001 From: wxy Date: Sun, 1 Jan 2017 19:37:15 +0800 Subject: [PATCH 156/181] PUB:20161028 Inkscape: Adding some colour @geekpi --- .../20161028 Inkscape: Adding some colour.md | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) rename {translated/tech => published}/20161028 Inkscape: Adding some colour.md (65%) diff --git a/translated/tech/20161028 Inkscape: Adding some colour.md b/published/20161028 Inkscape: Adding some colour.md similarity index 65% rename from translated/tech/20161028 Inkscape: Adding some colour.md rename to published/20161028 Inkscape: Adding some colour.md index 5ff0dc2473..8e3b6969ab 100644 --- a/translated/tech/20161028 Inkscape: Adding some colour.md +++ b/published/20161028 Inkscape: Adding some colour.md @@ -1,24 +1,25 @@ -## [Inkscape: 添加颜色][1] +使用 Inkscape:添加颜色 +========= - ![inkscape-addingcolour](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-addingcolour-945x400.png) +![inkscape-addingcolour](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-addingcolour-945x400.png) -在我们先前的 Inkscape 文章中,[我们介绍了 Inkscape 的基础][2] - 安装,以及如何创建基本形状及操作它们。我们还介绍了使用 Palette 更改 inkscape 对象的颜色。 虽然 Palette 对于从预定义列表快速更改对象颜色非常有用,但大多数情况下,你需要更好地控制对象的颜色。这是我们使用 Inkscape 中最重要的对话框之一 - 填充和轮廓Fill and Stroke 对话框。 +在我们先前的 Inkscape 文章中,[我们介绍了 Inkscape 的基础][2] - 安装,以及如何创建基本形状及操作它们。我们还介绍了使用 Palette 更改 inkscape 对象的颜色。 虽然 Palette 对于从预定义列表快速更改对象颜色非常有用,但大多数情况下,你需要更好地控制对象的颜色。这时我们使用 Inkscape 中最重要的对话框之一 - 填充和轮廓Fill and Stroke 对话框。 **关于文章中的动画的说明:**动画中的一些颜色看起来有条纹。这只是动画创建导致的。当你在 Inkscape 尝试时,你会看到很好的平滑渐变的颜色。 ### 使用 Fill/Stroke 对话框 -要在 Inkscape 中打开 “Fill and Stroke” 对话框,请从主菜单中选择 `Object`>`Fill and Stroke`。打开后,此对话框中的三个选项卡允许你检查和更改当前选定对象的填充颜色,描边颜色和描边样式。 +要在 Inkscape 中打开 “Fill and Stroke” 对话框,请从主菜单中选择 `Object`>`Fill and Stroke`。打开后,此对话框中的三个选项卡允许你检查和更改当前选定对象的填充颜色、描边颜色和描边样式。 ![open-fillstroke](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/open-fillstroke.gif) -在 Inkscape 中,Fill 用来给予对象主体主要颜色。对象的轮廓是可选择的,还有其他样式,可在轮廓样式Stroke style选项卡中进行配置,它允许您更改轮廓的粗细,创建虚线轮廓或为轮廓添加圆角。 在下面的动画中,我会改变星形的填充颜色,然后改变轮廓颜色,并调整轮廓的粗细: +在 Inkscape 中,Fill 用来给予对象主体颜色。对象的轮廓是你的对象的可选择外框,可在轮廓样式Stroke style选项卡中进行配置,它允许您更改轮廓的粗细,创建虚线轮廓或为轮廓添加圆角。 在下面的动画中,我会改变星形的填充颜色,然后改变轮廓颜色,并调整轮廓的粗细: - ![using-fillstroke](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/using-fillstroke.gif) +![using-fillstroke](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/using-fillstroke.gif) ### 添加并编辑渐变效果 -渐变也可以是对象的填充(或者轮廓)。要从 “Fill and Stroke” 对话框快速设置渐变填充,请先选择 “Fill” 选项卡,然后选择线性渐变linear gradient 选项: +对象的填充(或者轮廓)也可以是渐变的。要从 “Fill and Stroke” 对话框快速设置渐变填充,请先选择 “Fill” 选项卡,然后选择线性渐变linear gradient 选项: ![create-gradient](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/create-gradient.gif) @@ -28,11 +29,11 @@ * * * -这篇文章介绍了在 Inkscape 图纸中添加一些颜色和渐变的基础知识。 **“Fill and Stroke”** 对话框还有许多其他选项可供探索,如图案填充,不同的渐变样式和许多不同的轮廓样式。另外,查看**工具控制栏Tools control bar** 的 **Gradient Tool** 中的其他选项,看看如何以不同的方式调整渐变。 +这篇文章介绍了在 Inkscape 图纸中添加一些颜色和渐变的基础知识。 **“Fill and Stroke”** 对话框还有许多其他选项可供探索,如图案填充、不同的渐变样式和许多不同的轮廓样式。另外,查看**工具控制栏Tools control bar** 的 **Gradient Tool** 中的其他选项,看看如何以不同的方式调整渐变。 ----------------------- -作者简介:Ryan是一名 Fedora 设计师。他使用 Fedora Workstation 作为他的主要桌面,还有来自 Libre Graphics 世界的最好的工具,尤其是矢量图形编辑器 Inkscape。 +作者简介:Ryan 是一名 Fedora 设计师。他使用 Fedora Workstation 作为他的主要桌面,还有来自 Libre Graphics 世界的最好的工具,尤其是矢量图形编辑器 Inkscape。 -------------------------------------------------------------------------------- @@ -46,4 +47,4 @@ via: https://fedoramagazine.org/inkscape-adding-colour/ [a]: http://ryanlerch.id.fedoraproject.org/ [1]:https://fedoramagazine.org/inkscape-adding-colour/ -[2]:https://fedoramagazine.org/getting-started-inkscape-fedora/ +[2]:https://linux.cn/article-8079-1.html From 9420a77eb69c19d612575ac107208e675dcde5ae Mon Sep 17 00:00:00 2001 From: wxy Date: Sun, 1 Jan 2017 19:51:50 +0800 Subject: [PATCH 157/181] PUB:20161104 Create a simple wallpaper with Fedora and Inkscape @geekpi --- ...mple wallpaper with Fedora and Inkscape.md | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) rename {translated/tech => published}/20161104 Create a simple wallpaper with Fedora and Inkscape.md (81%) diff --git a/translated/tech/20161104 Create a simple wallpaper with Fedora and Inkscape.md b/published/20161104 Create a simple wallpaper with Fedora and Inkscape.md similarity index 81% rename from translated/tech/20161104 Create a simple wallpaper with Fedora and Inkscape.md rename to published/20161104 Create a simple wallpaper with Fedora and Inkscape.md index 5a0fbce7b4..a9317d1dfd 100644 --- a/translated/tech/20161104 Create a simple wallpaper with Fedora and Inkscape.md +++ b/published/20161104 Create a simple wallpaper with Fedora and Inkscape.md @@ -1,6 +1,7 @@ -### 使用 Fedora 和 Inkscape 制作一张简单的壁纸 +使用 Fedora 和 Inkscape 制作一张简单的壁纸 +================ - ![inkscape-wallpaper](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-wallpaper-945x400.png) +![inkscape-wallpaper](https://cdn.fedoramagazine.org/wp-content/uploads/2016/10/inkscape-wallpaper-945x400.png) 在先前的两篇 Inkscape 的文章中,我们已经[介绍了 Inkscape 的基本使用、创建对象][18]以及[一些基本操作和如何修改颜色。][17] @@ -14,7 +15,7 @@ ![Screenshot from 2016-09-07 08-37-01](https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-08-37-01.png) ][16] -对于这张壁纸而言,我们会将尺寸改为**1024px x 768px**。要改变文档的尺寸,进入`File` > `Document Properties…`。在文档属性Document Properties对话框中自定义文档大小Custom Size区域中输入宽度为 1024px,高度为 768px: +对于这张壁纸而言,我们会将尺寸改为**1024px x 768px**。要改变文档的尺寸,进入`File` > `Document Properties...`。在文档属性Document Properties对话框中自定义文档大小Custom Size区域中输入宽度为 `1024`,高度为 `768` ,单位是 `px`: [ ![Screenshot from 2016-09-07 09-00-00](https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-09-00-00.png) @@ -34,13 +35,13 @@ ![rect](https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/rect.png) ][13] -接着在矩形中添加一个渐变填充Gradient Fill。[如果你需要复习添加渐变,请阅读先前添加色彩的文章。][12] +接着在矩形中添加一个渐变填充Gradient Fill。如果你需要复习添加渐变,请阅读先前添加色彩的[那篇文章][12]。 [ ![Screenshot from 2016-09-07 09-41-13](https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-09-41-13.png) ][11] -你的矩形可能也设置了轮廓颜色。 使用填充和轮廓 Fill and Stroke对话框将轮廓设置为 **none**。 +你的矩形也可以设置轮廓颜色。 使用填充和轮廓 Fill and Stroke对话框将轮廓设置为 **none**。 [ ![Screenshot from 2016-09-07 09-44-15](https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-09-44-15.png) @@ -48,19 +49,19 @@ ### 绘制图样 -接下来我们画一个三角形,使用 3个 顶点的星型/多边形工具。你可以**按住 CTRL** 键给三角形一个角度并使之对称。 +接下来我们画一个三角形,使用 3 个顶点的星型/多边形工具。你可以按住 `CTRL` 键给三角形一个角度并使之对称。 [ ![Screenshot from 2016-09-07 09-52-38](https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-09-52-38.png) ][9] -选中三角形并按下 **CTRL+D** 来复制它(复制的图形会覆盖在原来图形的上面),**因此在复制后确保将它移动到别处。** +选中三角形并按下 `CTRL+D` 来复制它(复制的图形会覆盖在原来图形的上面),**因此在复制后确保将它移动到别处。** [ ![Screenshot from 2016-09-07 10-44-01](https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-10-44-01.png) ][8] -如图选中一个三角形,进入**OBJECT > FLIP-HORIZONTAL(水平翻转)**。 +如图选中一个三角形,进入`Object` > `FLIP-HORIZONTAL`(水平翻转)。 [ ![Screenshot from 2016-09-07 09-57-23](https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-09-57-23.png) @@ -82,7 +83,7 @@ ### 导出背景 -最后,我们需要将我们的文档导出为 PNG 文件。点击 **FILE > EXPORT PNG**,打开导出对话框,选择文件位置和名字,确保选中的是 Drawing 标签,并点击 **EXPORT**。 +最后,我们需要将我们的文档导出为 PNG 文件。点击 `File` > `EXPORT PNG`,打开导出对话框,选择文件位置和名字,确保选中的是 `Drawing` 标签,并点击 `EXPORT`。 [ ![Screenshot from 2016-09-07 11-07-05](https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-11-07-05-1.png) @@ -100,9 +101,7 @@ via: https://fedoramagazine.org/inkscape-design-imagination/ 作者:[a2batic][a] - 译者:[geekpi](https://github.com/geekpi) - 校对:[jasminepeng](https://github.com/jasminepeng) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 组织编译,[Linux中国](https://linux.cn/) 荣誉推出 @@ -119,11 +118,11 @@ via: https://fedoramagazine.org/inkscape-design-imagination/ [9]:https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-09-52-38.png [10]:https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-09-44-15.png [11]:https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-09-41-13.png -[12]:https://fedoramagazine.org/inkscape-adding-colour/ +[12]:https://linux.cn/article-8084-1.html [13]:https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/rect.png [14]:https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-09-01-03.png [15]:https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-09-00-00.png [16]:https://1504253206.rsc.cdn77.org/wp-content/uploads/2016/10/Screenshot-from-2016-09-07-08-37-01.png -[17]:https://fedoramagazine.org/inkscape-adding-colour/ -[18]:https://fedoramagazine.org/getting-started-inkscape-fedora/ +[17]:https://linux.cn/article-8084-1.html +[18]:https://linux.cn/article-8079-1.html [19]:https://fedoramagazine.org/inkscape-design-imagination/ From 384df9df076e1742c87765e69d470df7b1b14c6f Mon Sep 17 00:00:00 2001 From: xiaojin Date: Sun, 1 Jan 2017 22:34:38 +0800 Subject: [PATCH 158/181] =?UTF-8?q?Delete=2020161207=20Manage=20Samba4=20A?= =?UTF-8?q?D=20Domain=20Controller=20DNS=20and=20Group=20Policy=20from=20W?= =?UTF-8?q?indows=20=E2=80=93=20Part=204.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 翻译完成,删除原文。 --- ... and Group Policy from Windows – Part 4.md | 222 ------------------ 1 file changed, 222 deletions(-) delete mode 100644 sources/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md diff --git a/sources/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md b/sources/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md deleted file mode 100644 index 85ea330a5d..0000000000 --- a/sources/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md +++ /dev/null @@ -1,222 +0,0 @@ -Rusking translating - -Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4 -============================================================ - -Continuing the previous tutorial on [how to administer Samba4 from Windows 10 via RSAT][4], in this part we’ll see how to remotely manage our Samba AD Domain controller DNS server from Microsoft DNS Manager, how to create DNS records, how to create a Reverse Lookup Zone and how to create a domain policy via Group Policy Management tool. - -#### Requirements - -1. [Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1][1] -2. [Manage Samba4 AD Infrastructure from Linux Command Line – Part 2][2] -3. [Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3][3] - -### Step 1: Manage Samba DNS Server - -Samba4 AD DC uses an internal DNS resolver module which is created during the initial domain provision (if BIND9 DLZ module is not specifically used). - -Samba4 internal DNS module supports the basic features needed for an AD Domain Controller. The domain DNS server can be managed in two ways, directly from command line through samba-tool interface or remotely from a Microsoft workstation which is part of the domain via RSAT DNS Manager. - -Here, we’ll cover the second method because it’s more intuitive and not so prone to errors. - -1. To administer the DNS service for your domain controller via RSAT, go to your Windows machine, open Control Panel -> System and Security -> Administrative Tools and run DNS Manager utility. - -Once the tool opens, it will ask you on what DNS running server you want to connect. Choose The following computer, type your domain name in the field (or IP Address or FQDN can be used as well), check the box that says ‘Connect to the specified computer now’ and hit OK to open your Samba DNSservice. - -[ - ![Connect Samba4 DNS on Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Connect-Samba4-DNS-on-Windows.png) -][5] - -Connect Samba4 DNS on Windows - -2. In order to add a DNS record (as an example we will add an `A` record that will point to our LAN gateway), navigate to domain Forward Lookup Zone, right click on the right plane and choose New Host(`A` or `AAA`). - -[ - ![Add DNS A Record on Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-A-Record.png) -][6] - -Add DNS A Record on Windows - -3. On the New host opened window, type the name and the IP Address of your DNS resource. The FQDNwill be automatically written for you by DNS utility. When finished, hit the Add Host button and a pop-up window will inform you that your DNS A record has been successfully created. - -Make sure you add DNS A records only for those resources in your network [configured with static IP Addresses][7]. Don’t add DNS A records for hosts which are configured to acquire network configurations from a DHCP server or their IP Addresses change often. - -[ - ![Configure Samba Host on Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Host-on-Windows.png) -][8] - -Configure Samba Host on Windows - -To update a DNS record just double click on it and write your modifications. To delete the record right click on the record and choose delete from the menu. - -In the same way you can add other types of DNS records for your domain, such as CNAME (also known as DNS alias record) MX records (very useful for mail servers) or other type of records (SPF, TXT, SRVetc). - -### Step 2: Create a Reverse Lookup Zone - -By default, Samba4 Ad DC doesn’t automatically add a reverse lookup zone and PTR records for your domain because these types of records are not crucial for a domain controller to function correctly. - -Instead, a DNS reverse zone and its PTR records are crucial for the functionality of some important network services, such as an e-mail service because these type of records can be used to verify the identity of clients requesting a service. - -Practically, PTR records are just the opposite of standard DNS records. The clients know the IP address of a resource and queries the DNS server to find out their registered DNS name. - -4. In order to a create a reverse lookup zone for Samba AD DC, open DNS Manager, right click on Reverse Lookup Zone from the left plane and choose New Zone from the menu. - -[ - ![Create Reverse Lookup DNS Zone](http://www.tecmint.com/wp-content/uploads/2016/12/Create-Reverse-Lookup-DNS-Zone.png) -][9] - -Create Reverse Lookup DNS Zone - -5. Next, hit Next button and choose Primary zone from Zone Type Wizard. - -[ - ![Select DNS Zone Type](http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-Zone-Type.png) -][10] - -Select DNS Zone Type - -6. Next, choose To all DNS servers running on domain controllers in this domain from the AD Zone Replication Scope, chose IPv4 Reverse Lookup Zone and hit Next to continue. - -[ - ![Select DNS for Samba Domain Controller](http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-for-Samba-Domain-Controller.png) -][11] - -Select DNS for Samba Domain Controller - -[ - ![Add Reverse Lookup Zone Name](http://www.tecmint.com/wp-content/uploads/2016/12/Add-Reverse-Lookup-Zone-Name.png) -][12] - -Add Reverse Lookup Zone Name - -7. Next, type the IP network address for your LAN in Network ID filed and hit Next to continue. - -All PTR records added in this zone for your resources will point back only to 192.168.1.0/24 network portion. If you want to create a PTR record for a server that does not reside in this network segment (for example mail server which is located in 10.0.0.0/24 network), then you’ll need to create a new reverse lookup zone for that network segment as well. - -[ - ![Add IP Address of Reverse Lookup DNS Zone](http://www.tecmint.com/wp-content/uploads/2016/12/Add-IP-Address-of-Reverse-DNS-Zone.png) -][13] - -Add IP Address of Reverse Lookup DNS Zone - -8. On the next screen choose to Allow only secure dynamic updates, hit next to continue and, finally hit on finish to complete zone creation. - -[ - ![Enable Secure Dynamic Updates](http://www.tecmint.com/wp-content/uploads/2016/12/Enable-Secure-Dynamic-Updates.png) -][14] - -Enable Secure Dynamic Updates - -[ - ![New DNS Zone Summary](http://www.tecmint.com/wp-content/uploads/2016/12/New-DNS-Zone-Summary.png) -][15] - -New DNS Zone Summary - -9. At this point you have a valid DNS reverse lookup zone configured for your domain. In order to add a PTR record in this zone, right click on the right plane and choose to create a PTR record for a network resource. - -In this case we’ve created a pointer for our gateway. In order to test if the record was properly added and works as expected from client’s point of view, open a Command Prompt and issue a nslookup query against the name of the resource and another query for its IP Address. - -Both queries should return the correct answer for your DNS resource. - -``` -nslookup gate.tecmint.lan -nslookup 192.168.1.1 -ping gate -``` -[ - ![Add DNS PTR Record and Query PTR](http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-PTR-Record-and-Query.png) -][16] - -Add DNS PTR Record and Query PTR - -### Step 3: Domain Group Policy Management - -10. An important aspect of a domain controller is its ability to control system resources and security from a single central point. This type of task can be easily achieved in a domain controller with the help of Domain Group Policy. - -Unfortunately, the only way to edit or manage group policy in a samba domain controller is through RSAT GPM console provided by Microsoft. - -In the below example we’ll see how simple can be to manipulate group policy for our samba domain in order to create an interactive logon banner for our domain users. - -In order to access group policy console, go to Control Panel -> System and Security -> Administrative Tools and open Group Policy Management console. - -Expand the fields for your domain and right click on Default Domain Policy. Choose Edit from the menu and a new windows should appear. - -[ - ![Manage Samba Domain Group Policy](http://www.tecmint.com/wp-content/uploads/2016/12/Manage-Samba-Domain-Group-Policy.png) -][17] - -Manage Samba Domain Group Policy - -11. On Group Policy Management Editor window go to Computer Configuration -> Policies -> Windows Settings -> Security settings -> Local Policies -> Security Options and a new options list should appear in the right plane. - -In the right plane search and edit with your custom settings following two entries presented on the below screenshot. - -[ - ![Configure Samba Domain Group Policy](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Domain-Group-Policy.png) -][18] - -Configure Samba Domain Group Policy - -12. After finishing editing the two entries, close all windows, open an elevated Command prompt and force group policy to apply on your machine by issuing the below command: - -``` -gpupdate /force -``` -[ - ![Update Samba Domain Group Policy](http://www.tecmint.com/wp-content/uploads/2016/12/Update-Samba-Domain-Group-Policy.png) -][19] - -Update Samba Domain Group Policy - -13. Finally, reboot your computer and you’ll see the logon banner in action when you’ll try to perform logon. - -[ - ![Samba4 AD Domain Controller Logon Banner](http://www.tecmint.com/wp-content/uploads/2016/12/Samba4-Domain-Controller-User-Login.png) -][20] - -Samba4 AD Domain Controller Logon Banner - -That’s all! Group Policy is a very complex and sensitive subject and should be treated with maximum care by system admins. Also, be aware that group policy settings won’t apply in any way to Linux systems integrated into the realm. - ------- - -作者简介:I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting. - - --------------------------------------------------------------------------------- - -via: http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/ - -作者:[Matei Cezar ][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:http://www.tecmint.com/author/cezarmatei/ -[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ -[2]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ -[3]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ -[4]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ -[5]:http://www.tecmint.com/wp-content/uploads/2016/12/Connect-Samba4-DNS-on-Windows.png -[6]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-A-Record.png -[7]:http://www.tecmint.com/set-add-static-ip-address-in-linux/ -[8]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Host-on-Windows.png -[9]:http://www.tecmint.com/wp-content/uploads/2016/12/Create-Reverse-Lookup-DNS-Zone.png -[10]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-Zone-Type.png -[11]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-for-Samba-Domain-Controller.png -[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-Reverse-Lookup-Zone-Name.png -[13]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-IP-Address-of-Reverse-DNS-Zone.png -[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Enable-Secure-Dynamic-Updates.png -[15]:http://www.tecmint.com/wp-content/uploads/2016/12/New-DNS-Zone-Summary.png -[16]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-PTR-Record-and-Query.png -[17]:http://www.tecmint.com/wp-content/uploads/2016/12/Manage-Samba-Domain-Group-Policy.png -[18]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Domain-Group-Policy.png -[19]:http://www.tecmint.com/wp-content/uploads/2016/12/Update-Samba-Domain-Group-Policy.png -[20]:http://www.tecmint.com/wp-content/uploads/2016/12/Samba4-Domain-Controller-User-Login.png -[21]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# -[22]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# -[23]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# -[24]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# -[25]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/#comments From f0d9c5af8d3000d81edfcce55a8ca69e0ef151d7 Mon Sep 17 00:00:00 2001 From: xiaojin Date: Sun, 1 Jan 2017 22:37:02 +0800 Subject: [PATCH 159/181] Add files via upload MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 翻译完成,添加译文 --- ... and Group Policy from Windows – Part 4.md | 218 ++++++++++++++++++ 1 file changed, 218 insertions(+) create mode 100644 translated/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md diff --git a/translated/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md b/translated/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md new file mode 100644 index 0000000000..9013125450 --- /dev/null +++ b/translated/tech/20161207 Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4.md @@ -0,0 +1,218 @@ +Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4 +============================================================ +在 Windows 系统下管理 Samba4 AD 域管制器 DNS 和组策略(四) + +接着前一篇教程写的关于[使用 Windows 10 系统的 RSAT 工具来管理 Samba4 活动目录架构][4],在这篇文章中我们将学习如何使用微软 DNS 管理器远程管理我们的 Samba AD 域控制器的 DNS 服务器,如何创建 DNS 记录,如何创建反向查找区域以及如何通过组策略管理工具来创建域策略。 + +#### 需求 + +1、 [在 Ubuntu16.04 系统上使用 Samba4 软件来创建活动目录架构(一)][1] +2、 [在 Linux 命令行下管理 Samba4 AD 架构(二)][2] +3、 [使用 Windows 10 系统的 RSAT 工具来管理 Samba4 活动目录架构 (三)][3] + +### 第 1 步:管理 Samba DNS 服务器 + +Samba4 AD DC 使用内部的 DNS 解析模块,该模块在初始化域提供的过程中被创建完成(如果 BIND9 DLZ 模块未特定使用的情况下)。 + +Samba4 内部的 DNS 域模块支持 AD 域控制器所必须的基本功能。有两种方式来管理域 DNS 服务器,直接在命令行下通过 samba-tool 接口来管理,或者使用已加入域的微软工作站中的 RSAT DNS 管理器远程进行管理。 + +在这篇文章中,我们使用第二种方式来进行管理,因为这种方式很直观,也不容易出错。 + +1、要使用 RSAT 工具来管理域控制器上的 DNS 服务器,在 Windows 机器上,打开控制面板 -> 系统和安全 -> 管理工具,然后运行 DNS 管理器工具。 + +当打开这个工具时,它会询问你将要连接到哪台正在运行的 DNS 服务器。选择使用下面的计算机,输入域名(IP 地址或 FQDN 地址都可以使用),勾选‘现在连接到指定计算机’,然后单击 OK 按钮以开启 Samba DNS 服务。 + +[ + ![Connect Samba4 DNS on Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Connect-Samba4-DNS-on-Windows.png) +][5] + +在 Windows 系统上连接 Samba4 DNS 服务器 + +2、为了添加一条 DNS 记录(比如我们添加一条指向 LAN 网关的记录 ‘A'),打开 DNS 管理器,找到域正向查找区,在右侧单击右键选择新的主机(’A‘ 或 ’AAA‘)。 + +[ + ![Add DNS A Record on Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-A-Record.png) +][6] + +在 Windows 下添加一条 DNS 记录 + +3、在打开的新主机窗口界面,输入 DNS 服务器的主机名和 IP 地址。 DNS 管理器工具会自动填写完成 FQDN 地址。填写完成后,点击添加主机按钮,之后会弹出一个新的窗口提示你 DNS A 记录已经创建完成。 + +确保你添加的 DNS A 记录是你们网络中的资源[已配置静态 IP][7]。不要为那些从 DHCP 服务器自动获取 IP 地址或者经常变换 IP 地址的主机添加 DNS A 记录。 + +[ + ![Configure Samba Host on Windows](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Host-on-Windows.png) +][8] + +在 Windows 系统下配置 Samba 主机 + +要更新一条 DNS 记录只需要双击那条记录,然后输入更改原因即可。要删除一条记录时,只需要在这条记录上单击右键,选择从菜单删除即可。 + +同样的方式,你也可以为你的域添加其它类型的 DNS 记录,比如说 CNAME 记录(也称为 DNS 别名记录),MX 记录(在邮件服务器上非常有用)或者其它类型的记录(SPE、TXT、SRVetc类型)。 + +### 第 2 步:创建反向查找区域 + +默认情况下, Samba4 AD DC 不会自动为你的域添加一个反向查找区域和 PTR 记录,因为这些类型的记录对于域控制器的正常工作来说是无关紧要的。 + +相反,DNS 反向区和 PTR 记录在一些重要的网络服务中显得非常有用,比如邮件服务,因为这些类型的记录可以用于验证客户端请求服务的身份。 + +实际上, PTR 记录的功能与标准的 DNS 记录功能相反。客户端知道资源的 IP 地址,然后去查询 DNS 服务器来识别出已注册的 DNS 名字。 + +4、要创建 Samba AD DC 的反向查找区域,打开 DNS 管理器,在左侧反向查找区域目录上单击右键,然后选择菜单中的新区域。 + +[ + ![Create Reverse Lookup DNS Zone](http://www.tecmint.com/wp-content/uploads/2016/12/Create-Reverse-Lookup-DNS-Zone.png) +][9] + +创建 DNS 反向查找区域 + +5、下一步,单击下一步按钮,然后从区域类型向导中选择主区域。 +[ + ![Select DNS Zone Type](http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-Zone-Type.png) +][10] + +选择 DNS 区域类型 + +6、下一步,在 AD 区域复制范围中选择复制到该域里运行在域控制器上的所有的 DNS 服务器,选择 IPv4 反向查找区域然后单击下一步继续。 + +[ + ![Select DNS for Samba Domain Controller](http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-for-Samba-Domain-Controller.png) +][11] + +为 Samba 域控制器选择 DNS 服务器 + +[ + ![Add Reverse Lookup Zone Name](http://www.tecmint.com/wp-content/uploads/2016/12/Add-Reverse-Lookup-Zone-Name.png) +][12] + +添加反向查找区域名 + +7、下一步,在网络ID 框中输入你的 LAN IP 地址,然后单击下一步继续。 + +资源在这个区域内添加的所有 PTR 记录仅指向 192.168.1.0/24 网络段。如果你想要为一个不在该网段中的服务器创建一个 PTR 记录(比如邮件服务器位于 10.0.0.0/24 这个网段的时候),那么你还得为那个网段创建一个新的反向查找区域。 + +[ + ![Add IP Address of Reverse Lookup DNS Zone](http://www.tecmint.com/wp-content/uploads/2016/12/Add-IP-Address-of-Reverse-DNS-Zone.png) +][13] + +添加 DNS 反向查找区域的 IP 地址 + +8、在下一个截图中选择仅允许安全的动态更新,单击下一步继续,最后单击完成按钮以完成反向查找区域的创建。 + +[ + ![Enable Secure Dynamic Updates](http://www.tecmint.com/wp-content/uploads/2016/12/Enable-Secure-Dynamic-Updates.png) +][14] + +启用安全动态更新 + +[ + ![New DNS Zone Summary](http://www.tecmint.com/wp-content/uploads/2016/12/New-DNS-Zone-Summary.png) +][15] + +新 DNS 区域概述 + +9、此时,你已经为你的域环境创建完成了一个有效的 DNS 反向查找区域。为了在这个区域中添加一个 PTR 记录,在右侧右键单击,选择为网络资源创建一个 PTR 记录。 + +这个时候,我们已经为网关创建了一个指向。为了测试这条记录对于客户端是否添加正确和工作正常,打开命令行提示符执行 nslookup 查询资源名,再执行另外一条命令查询 IP 地址。 + +两个查询都应该为你的 DNS 资源返回正确的结果。 + +``` +nslookup gate.tecmint.lan +nslookup 192.168.1.1 +ping gate +``` +[ + ![Add DNS PTR Record and Query PTR](http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-PTR-Record-and-Query.png) +][16] + +添加及查询 PTR 记录 +### 第 3 步:管理域控制策略 + +10、域控制器最重要的作用就是集中控制系统资源及安全。使用域控制器的域组策略功能很容易实现这些类型的任务。 + +遗憾的是,在 Samba 域控制器上唯一用来编辑或管理组策略的方法是通过微软的 RSAT GPM 工具。 + +在下面的实例中,我们将看到通过组策略来实现在 Samba 域环境中为域用户创建一种交互式的登录方式是多么的简单。 + +要访问组策略控制台,打开控制面板 -> 系统和安全 -> 管理工具,然后打开组策略管理控制台。 + +展开你的域下面的目录,在默认组策略上右键,选择菜单中的编辑,将出现一个新的窗口。 + +[ + ![Manage Samba Domain Group Policy](http://www.tecmint.com/wp-content/uploads/2016/12/Manage-Samba-Domain-Group-Policy.png) +][17] + +管理 Samba 域组策略 + +11、在组策略管理编辑器窗口中,进入到电脑配置 -> 组策略 -> Windows 设置 -> 安全设置 -> 本地策略 -> 安全选项,你将在右侧看到一个新的选项列表。 + +在右侧查询并编辑你的定制化设置,参考下图中的两条设置内容。 + +[ + ![Configure Samba Domain Group Policy](http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Domain-Group-Policy.png) +][18] + +配置 Samba 域组策略 + +12、这两个条目编辑完成后,关闭所有窗口,打开 CMD 窗口,执行以下命令来强制应用组策略。 + +``` +gpupdate /force +``` +[ + ![Update Samba Domain Group Policy](http://www.tecmint.com/wp-content/uploads/2016/12/Update-Samba-Domain-Group-Policy.png) +][19] + +更新 Samba 域组策略 + +13、最后,重启你的电脑,当你准备登录进入系统的时候,你就会看到登录提示生效了。 +[ + ![Samba4 AD Domain Controller Logon Banner](http://www.tecmint.com/wp-content/uploads/2016/12/Samba4-Domain-Controller-User-Login.png) +][20] + +Samba4 AD 域控制器登录提示 + +就写到这里吧!组策略是一个操作起来很繁琐和很谨慎的主题,在管理系统的过程中你得非常的小心。还有,注意你设置的组策略不会以任何方式应用到已加入域的 Linux 系统中。 + +------ + +作者简介:我是一个电脑迷,开源软件及 Linux 系统爱好者,有近4年的 Linux 桌面和服务器系统及 bash 编程经验。 + + +-------------------------------------------------------------------------------- + +via: http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/ + +作者:[Matei Cezar ][a] +译者:[rusking](https://github.com/rusking) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/cezarmatei/ +[1]:http://www.tecmint.com/install-samba4-active-directory-ubuntu/ +[2]:http://www.tecmint.com/manage-samba4-active-directory-linux-command-line/ +[3]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ +[4]:http://www.tecmint.com/manage-samba4-ad-from-windows-via-rsat/ +[5]:http://www.tecmint.com/wp-content/uploads/2016/12/Connect-Samba4-DNS-on-Windows.png +[6]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-A-Record.png +[7]:http://www.tecmint.com/set-add-static-ip-address-in-linux/ +[8]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Host-on-Windows.png +[9]:http://www.tecmint.com/wp-content/uploads/2016/12/Create-Reverse-Lookup-DNS-Zone.png +[10]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-Zone-Type.png +[11]:http://www.tecmint.com/wp-content/uploads/2016/12/Select-DNS-for-Samba-Domain-Controller.png +[12]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-Reverse-Lookup-Zone-Name.png +[13]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-IP-Address-of-Reverse-DNS-Zone.png +[14]:http://www.tecmint.com/wp-content/uploads/2016/12/Enable-Secure-Dynamic-Updates.png +[15]:http://www.tecmint.com/wp-content/uploads/2016/12/New-DNS-Zone-Summary.png +[16]:http://www.tecmint.com/wp-content/uploads/2016/12/Add-DNS-PTR-Record-and-Query.png +[17]:http://www.tecmint.com/wp-content/uploads/2016/12/Manage-Samba-Domain-Group-Policy.png +[18]:http://www.tecmint.com/wp-content/uploads/2016/12/Configure-Samba-Domain-Group-Policy.png +[19]:http://www.tecmint.com/wp-content/uploads/2016/12/Update-Samba-Domain-Group-Policy.png +[20]:http://www.tecmint.com/wp-content/uploads/2016/12/Samba4-Domain-Controller-User-Login.png +[21]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# +[22]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# +[23]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# +[24]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/# +[25]:http://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/#comments From c4ef48c0dcbede24642fcaba266b1588cf975149 Mon Sep 17 00:00:00 2001 From: ypingcn <1344632698@qq.com> Date: Sun, 1 Jan 2017 23:17:50 +0800 Subject: [PATCH 160/181] Update 20161107 CLOUD FOCUSED LINUX DISTROS FOR PEOPLE WHO BREATHE ONLINE.md --- ...CLOUD FOCUSED LINUX DISTROS FOR PEOPLE WHO BREATHE ONLINE.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sources/tech/20161107 CLOUD FOCUSED LINUX DISTROS FOR PEOPLE WHO BREATHE ONLINE.md b/sources/tech/20161107 CLOUD FOCUSED LINUX DISTROS FOR PEOPLE WHO BREATHE ONLINE.md index 49eb8f536b..0350f284e0 100644 --- a/sources/tech/20161107 CLOUD FOCUSED LINUX DISTROS FOR PEOPLE WHO BREATHE ONLINE.md +++ b/sources/tech/20161107 CLOUD FOCUSED LINUX DISTROS FOR PEOPLE WHO BREATHE ONLINE.md @@ -1,3 +1,5 @@ +translating by ypingcn. + CLOUD FOCUSED LINUX DISTROS FOR PEOPLE WHO BREATHE ONLINE ============================================================ From 624439169bdcba34bd0700bb5e54132b755287a9 Mon Sep 17 00:00:00 2001 From: alim0x Date: Sun, 1 Jan 2017 23:34:00 +0800 Subject: [PATCH 161/181] [translated] 30 - The history of Android --- .../30 - The (updated) history of Android.md | 116 +++++++++--------- 1 file changed, 57 insertions(+), 59 deletions(-) rename {sources => translated}/talk/The history of Android/30 - The (updated) history of Android.md (57%) diff --git a/sources/talk/The history of Android/30 - The (updated) history of Android.md b/translated/talk/The history of Android/30 - The (updated) history of Android.md similarity index 57% rename from sources/talk/The history of Android/30 - The (updated) history of Android.md rename to translated/talk/The history of Android/30 - The (updated) history of Android.md index 361e7f0f49..c9408033a5 100644 --- a/sources/talk/The history of Android/30 - The (updated) history of Android.md +++ b/translated/talk/The history of Android/30 - The (updated) history of Android.md @@ -1,171 +1,169 @@ -alim0x translating - -The (updated) history of Android +安卓编年史 ============================================================ -> Follow the endless iterations from Android 0.5 to Android 7 and beyond. +> 让我们跟着安卓从 0.5 版本到 7 的无尽迭代来看看它的发展历史。 ### Android TV * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/IMG_0002-22-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/IMG_0002-22-150x150.jpg) ][2] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/device-2014-10-31-172334-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/device-2014-10-31-172334-150x150.png) ][3] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/play-store-2-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/play-store-2-150x150.png) ][4] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/search-2-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/search-2-150x150.png) ][5] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/search-1-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/search-1-150x150.png) ][6] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/device-2014-10-31-150246-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/device-2014-10-31-150246-150x150.png) ][7] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/device-2014-10-31-1548581-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/device-2014-10-31-1548581-150x150.png) ][8] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/device-2014-10-31-170651-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/device-2014-10-31-170651-150x150.png) ][9] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/device-2014-10-31-174128-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2014/11/device-2014-10-31-174128-150x150.png) ][10] -November 2014 saw Android continue its march to take over everything with a screen as Google unveiled Android TV. A division inside the company had previously tried to take over the living room with Google TV during the Honeycomb era, but this was a total reboot of the idea directly from the Android team. Android TV took Android 5.0 Lollipop and gave it a Material Design interface purpose-built for the biggest screen in the house. For launch hardware, Google tapped Asus to build the "Nexus Player," an underpowered-but-versatile set top box. +2014 年 11 月谷歌公布了安卓 TV,安卓继续进行它带着一块屏幕征服一切的征程。这家公司里的一个部门之前在蜂巢时代尝试过用谷歌 TV 掌控客厅,但这次完全是来自安卓团队的新点子。安卓 TV 使用安卓 5.0 棒棒糖,并给了它一个为室内最大屏幕设计的 Material Design 界面。首发硬件谷歌选择了华硕来代工“Nexus Player”,这是一个配置不足但够用的机顶盒。 -Android TV was really about three things: video, music, and games. You controlled the TV with a tiny remote consisting only of a D-Pad with 4 buttons: Back, Home, Microphone, and Play/Pause. For games, Asus simply cloned the Xbox 360 controller, giving players a million buttons and a pair of analog sticks. +安卓 TV 专注于三样东西:视频,音乐,以及游戏。你可以用一个小遥控器控制电视,它只有四向方向键以及四个按钮,后退、主页、麦克风以及播放/暂停。至于游戏,华硕克隆了一个 Xbox 360 手柄,给了玩家一堆按键和一对摇杆。 -The interface was pretty simple. Large horizontally-scrolling media thumbnails occupied the screen, filling the TV with content from YouTube, Google Play, Netflix, Hulu, and other sources. Instead of soiling everything in an app, the thumbnails were actually "recommended" items from many different content sources. Below that you could directly access the apps and settings. +安卓 TV 的界面很简单。大幅的媒体略缩图占据了屏幕,可以横向滚动,这些媒体中有 Youtube、Google Play、Netflix、Hulu 以及其它来源。这些略缩图实际上是来自不同媒体源的“推荐”项目,它不是简单地将一个应用的内容填满屏幕。在那下面你可以直接访问应用和设置。 -The voice interface was great. You could ask Android TV to play whatever you wanted, instead of hunting it down through the GUI. You could also run clever search results on content, like "show me movies with Harrison Ford." And instead of app silos, every app could provide content to the indexing service. All these apps were housed in a TV-version of the Play Store. Developers specifically supporting Android TV devices also supported the Google cast protocol, allowing users to beam videos and music from their phones and tablets to the TV. +语音界面很赞。你可以告诉安卓 TV 播放任意你想要的内容,而不用通过图形界面去寻找。你还能在内容里获得更聪明的搜索结果,比如“显示和 Harrison Ford 有关的电影”。每个应用都可以给索引服务提供内容,而不是简单的应用集合。所有的这些应用都在 Play 商店有一个 TV 版本。开发者对安卓 TV 的特别支持还包括谷歌 cast 协议,允许用户从他们的手机和平板向电视投射视频和音乐。 ### Android 5.1 Lollipop * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/lock1-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/lock1-150x150.jpg) ][11] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/2015-03-14-17.33.58-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/2015-03-14-17.33.58-150x150.png) ][12] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/quick-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/quick-150x150.jpg) ][13] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/new-quick-panels-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/new-quick-panels-150x150.jpg) ][14] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/volumepress-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/volumepress-150x150.jpg) ][15] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/volumetouch-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/volumetouch-150x150.jpg) ][16] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/volumebell-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/volumebell-150x150.jpg) ][17] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/interrupts1-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/interrupts1-150x150.jpg) ][18] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/heads-up1-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/heads-up1-150x150.jpg) ][19] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/screen-pin-2-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/screen-pin-2-150x150.jpg) ][20] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/screen-pin-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/screen-pin-150x150.jpg) ][21] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/gif1-150x150.gif) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/gif1-150x150.gif) ][22] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/Untitled-1-150x150.gif) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/Untitled-1-150x150.gif) ][23] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/51-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/51-150x150.jpg) ][24] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/scrollbar-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/scrollbar-150x150.jpg) ][25] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/simcard-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/simcard-150x150.jpg) ][26] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/sip-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/sip-150x150.jpg) ][27] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/status-screen-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/status-screen-150x150.jpg) ][28] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/time-picker-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/time-picker-150x150.jpg) ][29] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/icons-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/icons-150x150.jpg) ][30] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/play-store-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/03/play-store-150x150.jpg) ][31] -Android 5.1 came out in March 2015 and was the tiniest of updates. The goal here was mainly to [fix encryption performance][43] on the Nexus 6, along with adding device protection and a few interface tweaks. +安卓 5.1 在 2015 年 3 月发布,这是安卓最小的更新。它的目的主要是[修复 Nexus 6 上的加密性能问题][43],还添加了设备保护和一些小的界面调整。 -Device protection's only UI addition took the form of a new warning during setup. The feature offered to "Protect your device from reuse" if it was stolen. Once a lock screen was set, device protection would kick in, and could be triggered during a device wipe. If you wiped the phone the way an owner normally would—by unlocking the phone and picking "reset" from the settings—nothing would happen. If you wipe the phone through developer tools though, the device would demand that you "verify a previously-synced Google Account" during the next setup. +设备保护是唯一的新增界面,采用的是在开机设置显示新警告的形式。这个特性在设备被偷了之后“保护你的设备不被再次利用”。一旦设置了锁屏,设备保护就开始介入,并且会在擦除设备的时候被触发。如果你以机主正常的方式擦除设备——解锁手机并从设置选择“重置”——什么都不会发生。但如果你通过开发者工具擦除,设备会在下次开机设置的时候要求你“验证之前同步的谷歌账户”。 -The idea was that a developer would know the pervious Google credentials on the device, but a thief would not so they'd be stuck at setup. In practice this triggered [a cat and mouse game][44] of people finding exploits that get around device protection, and Google getting word of the bug and patching it. Software features added by OEM skins also introduced fun new bugs to get around device protection. +这个想法是基于开发者是会知道之前登录的谷歌帐号凭证的,但小偷就不知道了,他们会卡在设置这一步。在现实中这引发了[一个猫鼠游戏][44],人们寻找漏洞来绕过设备保护,而谷歌知道了这个 bug 并修补它。OEM 定制也引入了一些有趣的 bug 来绕过设备保护。 -There was also a whole host of extremely minor UI changes that we have dutifully cataloged in the gallery, above. There's not much to say about them beyond the captions. +还有很多特别微小的界面改动,我们没法一一列在上面的图中。除了上面的图片描述之外没什么可说的了。 ### Android Auto * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/Android_Auto_The_right_information_for_the_road_ahead_-_YouTube_-_Google_Chrome_2016-10-29_19-49-56-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/Android_Auto_The_right_information_for_the_road_ahead_-_YouTube_-_Google_Chrome_2016-10-29_19-49-56-150x150.jpg) ][32] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/Android-Auto-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2016/10/Android-Auto-150x150.jpg) ][33] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-09-105548-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-09-105548-150x150.png) ][34] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-09-091514-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-09-091514-150x150.png) ][35] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-10-194221-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-10-194221-150x150.png) ][36] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-09-110323-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-09-110323-150x150.png) ][37] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-10-113659-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-10-113659-150x150.png) ][38] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-09-105654-150x150.png) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-09-105654-150x150.png) ][39] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-09-1117341-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/screendump-2015-07-09-1117341-150x150.jpg) ][40] * [ - ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/IMG_3594-150x150.jpg) + ![](https://cdn.arstechnica.net/wp-content/uploads/2015/07/IMG_3594-150x150.jpg) ][41] -Also in March 2015, Google launched "Android Auto," a new Android-inspired interface for car infotainment systems. Android Auto was Google's answer to Apple's CarPlay and worked much the same way. It wasn't a full operating system—it's a "casted" interface that runs on your phone and uses the car's built-in screen as an external monitor. Running Android Auto means having a compatible car, installing the Android Auto app on your phone (Android 5.0 and above), and hooking the phone up to the car with a USB cable. +同样是在 2015 年 3 月,谷歌发布了“安卓 Auto”,一个基于安卓界面的全新车载娱乐信息系统。安卓 Auto 是谷歌面对苹果的 CarPlay 交出的答卷,它们很多地方都很相似。安卓 Auto 不完全是个操作系统——它是一个运行在你手机上的“投射”界面,使用车载显示屏作为一块外置显示器。运行安卓 Auto 意味着拥有一款兼容的汽车,在手机上(安卓 5.0 及以上版本)安装了安卓 Auto 应用,并用 USB 线将手机连接到汽车。 -Android Auto brought Google's Material Design interface to your existing infotainment system, bringing top-tier software design to a platform that [typically struggles][45] with designing good software. Android Auto was a ground up redesign of the Android interface made specifically to comply with the myriad of infotainment regulations around the world. There was no tradition "home screen" full of app icons, instead Android's navigation bar was changed into an always-on app launcher (almost like a tabbed interface). +安卓 Auto 给你已有的车载系统带来了谷歌的 Material Design 界面,给这个[通常挣扎于]设计好软件的平台带来了顶级的软件设计。安卓 Auto 是个对安卓界面的完全重新设计,以遵循世界各地对车载系统无数的规定。它没有通常充满应用图标的“主屏”,安卓的导航栏也变为了一个常驻的应用启动器(几乎像是个标签页式的界面)。 -The paired down feature set only really had four sections, from left to right on the navigation bar: Google Maps, a dialer/contacts screen, the "home" section that was a hybrid of Google Now and a notification panel, and a music page. The last button was an "OEM" page that let you exit Android Auto and return to the stock infotainment system (it was also meant to eventually house custom car manufacturer features). There was Google's voice command system, which took the form of a microphone button on the top right of the screen. +算下来特性实际上只有四部分,导航栏从左到右是:谷歌地图,一个拨号/联系人界面,“主屏”部分混合了 Google Now 和一个通知面板,还有一个音乐页面。最后一个按钮是一个“OEM”页面,让你可以退出安卓 Auto,返回到自带的车载系统(这也是为了放置汽车制造商的定制特性)。安卓 Auto 还带有谷歌的语音命令系统,以一个麦克风按钮的形式显示在屏幕右上角。 -There wasn't much in the way of apps for Android Auto. Only two categories were allowed: music and messaging apps. Infotainment regulations meant customizing the UI wasn't really an option. Messaging apps had no interface and could just plug into the voice system, and music apps couldn't change the interface much, only tweaking the colors and iconography of Google's default "music app" template. What really mattered was delivering the music and messages though, and apps could do that. +安卓 Auto 的应用没有多少。它只允许两个类别的应用:音乐和信息应用。车载信息娱乐系统的规定意味着自定义界面不是个好选择。信息应用没有界面,并且可以接入语音系统,音乐应用也不会太多地改变界面,仅仅只是调整一下谷歌默认的“音乐应用”模板的颜色和图标。但实际上重要的是音乐和消息的送达,在不让驾驶员太多分心的情况下,一般的应用就没法使用了。 -Android Auto hasn't seen much in the way of updates after its initial launch, but it has seen a ton of car manufacturer support. In 2017, there will be [over 100][46] compatible vehicle models. +安卓 Auto 在它的最初发布之后就没看到多少更新了,但已经逐渐有很多汽车制造商支持了。到了 2017 年,将会有[超过 100][46] 款支持的汽车型号。 -------------------------------------------------------------------------------- 作者简介: -Ron is the Reviews Editor at Ars Technica, where he specializes in Android OS and Google products. He is always on the hunt for a new gadget and loves to rip things apart to see how they work. +Ron 是 Ars Technica 的评论编缉,专注于安卓系统和谷歌产品。他总是在追寻新鲜事物,还喜欢拆解事物看看它们到底是怎么运作的。 -------------------------------------------------------------------------------- @@ -173,7 +171,7 @@ Ron is the Reviews Editor at Ars Technica, where he specializes in Android OS an via: http://arstechnica.com/gadgets/2016/10/building-android-a-40000-word-history-of-googles-mobile-os/30/ 作者:[RON AMADEO][a] -译者:[译者ID](https://github.com/译者ID) +译者:[alim0x](https://github.com/alim0x) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 From 3f2c899b8e9a1ac2deb87b4f3cd8ea35a5d88ca2 Mon Sep 17 00:00:00 2001 From: GitFuture Date: Mon, 2 Jan 2017 12:10:28 +0800 Subject: [PATCH 162/181] Translated --- ...929 Getting Started with HTTP2 - Part 2.md | 184 ------------------ ...929 Getting Started with HTTP2 - Part 2.md | 181 +++++++++++++++++ 2 files changed, 181 insertions(+), 184 deletions(-) delete mode 100644 sources/tech/20160929 Getting Started with HTTP2 - Part 2.md create mode 100644 translated/tech/20160929 Getting Started with HTTP2 - Part 2.md diff --git a/sources/tech/20160929 Getting Started with HTTP2 - Part 2.md b/sources/tech/20160929 Getting Started with HTTP2 - Part 2.md deleted file mode 100644 index 6a98fc0056..0000000000 --- a/sources/tech/20160929 Getting Started with HTTP2 - Part 2.md +++ /dev/null @@ -1,184 +0,0 @@ -It's translated by GitFuture now. - -Getting Started with HTTP/2: Part 2 -============================================================ - ![](https://static.viget.com/_284x284_crop_center-center/ben-t-http-blog-thumb-01_360.png?mtime=20160928234634) - -Firmly planting a flag in the sand for HTTP/2 best practices for front end development. - - -If you have been keeping up with the talk of HTTP/2, you have probably attempted it or at least thought of how incorporate it into your projects. While there are a lot of hypotheses on how to its features can change your workflow and improve speed and efficiency on the web, best practices still haven't quite been pinned down yet. What I want to cover in this post are some HTTP/2 best practices I have discovered on a recent project. - -If you aren't quite sure what HTTP/2 is or why it offers to improve your work, [check out my first post for a bit of background][4].  - -One note though: before we can get going, I need to mention that while your browser probably supports HTTP/2, your server probably doesn't. Check in with your hosting service to see if they offer HTTP/2 compatibility. Otherwise, you may be able to spin up your own server. This post does not cover how to do that unfortunately, but you can always check out the [http2 github][5] for some tools to get going in that direction. - -### 🙏 [Rubs Hands Together] - -A good way to start is to first organize your files. Take a look at the file tree below for a starting point to organize your stylesheets: - -``` -`/styles -|── /setup -| /* variables, mixins and functions */ -|── /global -| /* reusable components that could be within any component or section */ -|── /components -| /* specific components and sections */ -|── setup.scss // index for setup styles -|── global.scss // index for global styles` -``` - -This breaks out your styles into three main categories: Setup, Global and Components. I will get into what each of these directories offer to your project next. - -### Setting Up - -The Setup level directory will hold all of your variables, functions, mixins and any other definition that another file will need to compile properly. To make this directory fully reusable, it's a good idea to import the contents of this directory into `setup.scss` so that it looks something like this: - -``` -`/* setup.scss */ - -/* variables */ -@import "setup/variables/colors"; - -/* mixins */ -@import "setup/mixins/color"; - -/* functions */ -@import "setup/functions/color"; - -... etc` -``` - -Now that we have a quick reference to any definition on the site, we should be sure to include it at the top of any style file we create from here on out. - -### Going Global - -Your next directory, Global, should contain components that can be reused across the site within multiple sections, or on every single page. Things like buttons, text and heading styles as well as your browser resets should go here. I do not recommend putting your header or footer styles in here because on some projects, the header is absent or different on certain pages. Furthermore, the footer is always the last element on the page, so it should not be a huge priority to load the styles for it before the user has loaded anything else on the site. - -Keeping in mind that your Global styles probably won't work without the things we defined in the Setup directory, your Global file should look something like this: - -``` -`/* global.scss */ - -/* application definitions */ -@import "setup"; - -/* global styles */ -@import "global/reset"; -@import "global/buttons"; -@import "global/typography"; -@import "global/grid"; - -... etc` -``` - -Note that the first thing to import is the Setup styles. This way, any following file that uses something defined in that will have a reference to pull from. - -Since the Global styles will be needed on every page of the site, we can load them in the typical way, using a `` in the ``. What you will have will be a very light CSS file, or theoretically light, depending on how much global style you need. - -### Finally, Your Components - -Notice that I did not include an index file for the Components directory in the file tree above. This is really where HTTP/2 comes into play. Up until now, we have been following standard practices for typical site build out, maintaining a fairly lean infrastructure and opting to globalize only the most necessary styles. Components act as their own index files. - -Most developers have their own way of organizing their components, so I am not going to bother going into strategies here. However, all of your components should look something like this: - -``` -`/* header.scss */ - -/* application definitions */ -@import "../setup"; - -header { - // styles -} - -... etc` -``` - -This way, again, you have those Setup styles there to make sure that everything is defined during compilation. You don't have to concatenate, minify or really do anything to these files other than compile them, and probably place them in an /assets directory, easy to find for your templates. - -Now that our stylesheets are ready to go, building out the site should be simple. - -### Building Out the Components - -You probably have your own templating language of choice depending on the projects you are on, be it Twig, Rails, Jade or Handlebars. I think the best way to think about your components is that if it has its own template file, it should have a corresponding style with the same name. This way your project has a nice 1:1 ratio across your templates and styles and you know where which file everything is in because they are named accordingly. - -Now that that is out of the way, taking advantage of HTTP/2's multiplexing is really simple, so let's build a template: - -``` -`{# header.html #} - -{# compiled header styles #} - - -
-

This Awesome HTTP/2 Site

- ... etc` -``` - -And that is pretty much it! You probably have a less heavy-handed way of linking to assets within your templates, but this shows you that all you need to do is link to that one small header style in the template file before you start your markup. This allows your site to only load the specific assets to the components on any given page, and furthermore, prioritizing the components from the top of your page to the bottom. - -### Mixing It All Together - -Now that all the components have a structure, the browser will render them something like this: - -``` -` - - - - - - - -
- ... etc -
- - -
- ... etc -
- - -
- ... etc -
- - -
- ... etc -
- - -
- ... etc -
- - -` -``` - -This is an upper level approach, but you will probably have finer-tuned components on your project. For example, you may have a `