升级openssl

1
2
root@stack:~# openssl version
OpenSSL 1.1.1f 31 Mar 2020

download

1
wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz

1
2
3
4
5
6
7
8
tar -zxvf openssl-1.1.1c.tar.gz
cd openssl-1.1.1c
./config --prefix=/usr/local/openssl #如果此步骤报错,需要安装perl以及gcc包
make && make install
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v # 设置生效

总结

LVM 换盘

背景: 多个LUN划给主机做成LVM卷,现在要更换后端LUN,也就是更换集中存储设备,业务端涉及虚机上千就不从虚机端拷贝数据了,直接从LVM物理卷更换

模拟线上操作,添加2G * 2块盘做为LVM卷,第三块盘为新添加,替换掉第一块盘,保证LV卷数据不丢失

扫盘

1
for  i in $(find /sys -iname 'scan'); do echo "- - -" > $i; done

裸盘分区

1
2
3
parted /dev/sdb  -s -- mklabel gpt mkpart primary 1 100%
parted /dev/sdc -s -- mklabel gpt mkpart primary 1 100%
parted /dev/sdd -s -- mklabel gpt mkpart primary 1 100%

制作PV

1
pvcreate  /dev/sdb  /dev/sdc

制作VG

1
vgcreate vg001 /dev/sdb  /dev/sdc

划分LV, 有意划分3G大小卷跨物理PV

1
lvcreate -L 3G -n lv001 vg001

查看物理PE信息

1
pvdisplay

查看VG信息

1
vgdisplay

卷写入数据

1
2
3
# mkfs.ext4 /dev/mapper/vg001-lv001
# mount /dev/mapper/vg001-lv001 /data
# echo "test lvm data" > /data/test.txt

添加第三块到VG

1
vgextend  vg001 /dev/sdd

移除第一块盘中的PE

1
pvmove /dev/sdb

从VG中移除第一块盘

1
vgreduce  vg001 /dev/sdb

最后移除PV

1
pvremove /dev/sdb

prometheus 重新打标

定义在job字段内
示例1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'

# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.

consul_sd_configs:
- server: "192.168.1.40:8500"
tags:
- "prometheus"
refresh_interval: 2m

# All nodes
- job_name: 'nodes'
consul_sd_configs:
- server: "192.168.1.40:8500"
tags:
- "nodes"
refresh_interval: 2m

relabel_configs:
- source_labels:
- __scheme__
- __address__
- __metrics_path__
regex: "(http|https)(.*)"
separator: ""
target_label: "endpoint" # 添加标记,值为replacement内容
replacement: "${1}://${2}"
action: replace

metric_relabel_configs: # 删除指标
#- source_labels:
# - __name__
# regex: "go_info.*"
# action: drop
# metric_relabel_configs:
- source_labels:
- __name__
regex: "salar.*"
action: drop

示例2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'nodes'
file_sd_configs:
- files:
- targets/nodes-*.yaml
refresh_interval: 1m

relable_configs:
- regex: "(app)"
replacement: "${1}_name" # 重命名为xxx_name
action: labelmap # 标签名的重命名

- regex: "(app)" #删除app这个标签
action: labeldrop

总结

drop: 正则匹配成功就删除
keep: 正则匹配成功就保留

relabel_configs:
抓取前的标记,针对target自身标记,将来自服务发现的元数据标签中的信息附加到指标上标签上和过滤目标的作用

metric_relabel_configs:
抓取后的标记,针对抓取指标的标记,用于删除指标、从指标中删除标签、添加编辑修改指标的值

vCenter update certs

检查过期相关组件

1
2
3
4
5
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list);  \
do
echo STORE $i; \
sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After";
done

回显

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
STORE MACHINE_SSL_CERT
Alias : __MACHINE_CERT
Not After : Jul 24 05:29:45 2023 GMT
STORE TRUSTED_ROOTS
Alias : ca6378753e13f38f2c78597723bbfbd2bdab5c70
Not After : Feb 12 06:34:52 2029 GMT
STORE TRUSTED_ROOT_CRLS
Alias : 66a9d0b33019168ebc8ab857f2d2e6d3f9ef7d02
STORE machine
Alias : machine
Not After : Jul 24 05:30:47 2023 GMT
STORE vsphere-webclient
Alias : vsphere-webclient
Not After : Jul 24 05:30:48 2023 GMT
STORE vpxd
Alias : vpxd
Not After : Jul 24 05:30:49 2023 GMT
STORE vpxd-extension
Alias : vpxd-extension
Not After : Jul 24 05:30:50 2023 GMT
STORE SMS
Alias : sms_self_signed
Not After : Feb 18 06:49:32 2029 GMT

签证书文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
/usr/lib/vmware-vmca/share/config/certool.cfg
#
# Template file for a CSR request
#
# Country is needed and has to be 2 characters
Country = US
Name = CA
Organization = VMware
OrgUnit = VMware Engineering
State = California
Locality = Palo Alto
IPAddress = 192.168.1.250
Email = email@acme.com
Hostname = 192.168.1.250

获取PNID

1
2
root@photon-machine [ ~ ]# /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
192.168.1.250

全部更新证书

1
/usr/lib/vmware-vmca/bin/certificate-manager

总结

vcenter 6.5证书过期解决办法参考:
https://kb.vmware.com/s/article/76719
https://kb.vmware.com/s/article/2097936
https://kb.vmware.com/s/article/2112283

mongodb-访问控制

想要基于角色的访问控制和数据库账号权限访问,那么我们先做好一个没有权限的集群,在此基础上一点点改

集群内置角色

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
wxqset:PRIMARY> use admin
switched to db admin
wxqset:PRIMARY> show roles;
{
"role" : "__queryableBackup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "__system",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "backup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "clusterAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "clusterManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "clusterMonitor",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "dbAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "dbAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "dbOwner",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "enableSharding",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "hostManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "read",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "readAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "readWrite",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "readWriteAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "restore",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "root",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "userAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "userAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}

创建最高权限

1
use admin;  db.createUser({user: "root",pwd: "123.com",roles: [{role: "root",db: "admin"}]})

创建常规管理员权限

1
use admin;  db.createUser({user: "admin",pwd: "123456",roles: [{role: "userAdminAnyDatabase",db: "admin"}]})

为单个库设置用户读写权限

1
use db01;  db.createUser({user: "user01",pwd: "123456",roles: [{role: "readWrite",db: "db01"}]})

其它权限示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
wxqset:PRIMARY> use admin;  db.createUser({user: "admin01",pwd: "123456",roles: [{role: "userAdminAnyDatabase",db: "admin"}]})
Successfully added user: {
"user" : "admin01",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}

wxqset:PRIMARY> use admin; db.createUser({user: "admin02",pwd: "123.com",roles: [{role: "clusterAdmin",db: "admin"}]})
Successfully added user: {
"user" : "admin02",
"roles" : [
{
"role" : "clusterAdmin",
"db" : "admin"
}
]
}

数据库用户查询

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
xxx:PRIMARY> use admin
xxx:PRIMARY> db.auth("username","pwd")
xxx:PRIMARY> use db01
xxx:PRIMARY> db.auth("username","pwd")
xxx:PRIMARY> show users;
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "clusterAdmin",
"db" : "admin"
},
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
{
"_id" : "admin.root",
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "local"
}
]
}

xxx:PRIMARY> db.system.users.find().pretty()

开启集群认证需要keyFile,所以创建keyFile文件,集群节点保持文件内容一致

1
2
3
openssl rand -base64 756 > /etc/mongod.keys
chmod 400 /etc/mongod.keys
chown mongod:mongod /etc/mongod.keys

集群所有节点修改cat /etc/mongod.conf

1
2
3
4
security:
authorization: enabled
keyFile: /etc/mongod.keys
clusterAuthMode: keyFile

修改好配置后重启即可

1
# systemctl  restart mongod

总结

1 keyFile属主属组及权限是注意点
2 权限这块理解好各个角色的作用域

redis install

简单使用

1
2
3
4
5
wget http://download.redis.io/redis-stable.tar.gz # 最新稳定版
wget https://download.redis.io/releases/redis-6.2.5.tar.gz
tar xzf redis-6.2.5.tar.gz
cd redis-6.2.5
make

如果重新make不下去

1
make distclean  && make

自动拷贝程序文件

1
2
3
make install
# ls /usr/local/bin
redis-benchmark redis-check-aof redis-check-rdb redis-cli redis-sentinel redis-server

拷贝配置文件

1
2
3
4
5
6
7
8
9
10
cp  redis.conf /etc/
# edit parameter
requirepass passwd
# save "" # 完全禁用本地持久化
# 跟据策略持久化的配置
save 3600 1
save 300 100
save 60 10000
dir /data/redis-data # 存储路径
daemonize yes # 确保redis-server启动时能在后台启动

手写启动文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@localhost ~]# vi /usr/lib/systemd/system/redis.service 

[Unit]
Description=Redis persistent key-value database
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/local/bin/redis-server /etc/redis.conf
ExecStop=/usr/local/bin/redis-cli shutdown
#Type=notify
Type=forking
User=root
Group=root
RuntimeDirectory=redis
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target

总结

官网
https://redis.io/download#from-source-code
https://redis.io/topics/quickstart