Linux/Mac 密码生成器

现在应用越来越多,经常要输入密码,有的对密码的健壮性没有要求,有的需要大小写,特殊字符,数字,至少多少位等等,绞尽脑汁想不到好一点的密码。之前我一直在用 或者 1Password 的密码生成工具来生成密码,但是对于不使用这些密码保存工具的同学来说,难道就真的束手无策了吗?

好在 系统下(我不用 ),我们还是有办法可以生成复合要求的密码的。

Continue reading “Linux/Mac 密码生成器”

Linux/Mac 密码生成器

解决 RedHat problem making ssl connection 的问题

今天收到一台 系统的机器,需要安装 以便部署持续集成。

在配置完清华大学的 epel-release 源之后搜索 ansible 应用时出现以下错误:

[root@2B2C-test-DB1 .repos.d]#  search ansible
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
https://mirrors.tuna.tsinghua.edu.cn/epel/6/x86_64/repodata/repomd.xml: [Errno 14] problem making ssl connection
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: epel. Please verify its path and try again
[root@2B2C-test-DB1 .repos.d]# 

Continue reading “解决 RedHat problem making ssl connection 的问题”

解决 RedHat problem making ssl connection 的问题

Docker build 的几种方式

build 的帮助文件中我们可以看到,docker build 不仅能支持本地 Dcokerfile 的构建,还可以从 URL 以及标准输入(-)中读取信息进行构建,下面就来说说 docker build 的几种构建方式。

[hzz@ TEST]$ docker build --help

Usage:  docker build [OPTIONS] PATH | URL | -

Build an image from a Dockerfile

Continue reading “Docker build 的几种方式”

Docker build 的几种方式

Bash 远程执行命令的函数

需安装 才能正常使用。

 install -y expect;
#!/usr/bin/env 
#远程执行命令
set -e;

EXPECT_SH(){
  local EXUSR=${1}
  local EXHOST=${2}
  local EXPWD=${3}
  local EXCMD=${4}
  expect -c "
    set timeout 300
    spawn ssh ${EXUSR}@${EXHOST}
    expect {
      \"not known\" {send_user \"[exec  -e Erro:Host not known\n];exit\"}
      \"Connection refused\" {send_user \"[exec  -e Erro:Connection refused\n];exit\"}
      \"(yes/no)?\" {send \"yes\r\";exp_continue}
      \"password:\" {send \"${EXPWD}\r\";exp_continue}
      \"Permission denied\" {send_user \"[exec  -e Erro:Wrong \n];exit\"}
      \"]*\" {send \"\r\"}
      \">*\" {send \"\r\"}
    }
    send \"${EXCMD}\rexit\r\"
    expect eof
  "
}
Bash 远程执行命令的函数

Expect 远程执行检查函数

需安装 才能正常使用。

 install -y expect;
#!/usr/bin/env 
#expect 功能检查
set -e;

EXPECT_CHECK(){
  local EXUSR=${1}
  local EXHOST=${2}
  local EXPWD=${3}
  #ssh test
  EXP_RST=`
    expect -c "
      set timeout 300
      spawn ssh ${EXUSR}@${EXHOST} \" PASS\"
      expect {
        \"not known\" {send_user \"[exec  -e Erro:Host not known\n];exit\"}
        \"Connection refused\" {send_user \"[exec  -e Erro:Connection refused\n];exit\"}
        \"(yes/no)?\" {send \"yes\r\";exp_continue}
          \"password:\" {send \"${EXPWD}\r\";exp_continue}
        \"Permission denied\" {send_user \"[exec  -e Erro:Wrong \n];exit\"}
      }
    "| -E 'PASS|Erro'| -v echo| 's/\r//g;s/\n//g'
  `
  if [[ ${EXP_RST} && ${EXP_RST} == PASS ]]; then
    echo -e "\nEXPECT CHECK COMPLETE!\n";
    return 0;
  else
    echo -e "\n${EXUSR}@${EXHOST} EXPECT CHECK ERROR!\n";
    echo -e "\n${EXP_RST}\n";
    return 1;
  fi
}
Expect 远程执行检查函数

Bash 远程拷贝文件的函数

需安装 才能正常使用。

 install -y expect;
#!/usr/bin/env 
#远程拷贝文件
set -e;

#拷贝远程文件到本地
EXPECT_CP_R(){
  local EXUSR=${1}
  local EXHOST=${2}
  local EXPWD=${3}
  local R_FILE=${4}
  local L_FILE=${5}

  expect -c "
    set timeout 300
    spawn scp -qr ${EXUSR}@${EXHOST}:${R_FILE} ${L_FILE}
    expect {
      \"not known\" {send_user \"[exec  -e Erro:Host not known\n];exit\"}
      \"Connection refused\" {send_user \"[exec  -e Erro:Connection refused\n];exit\"}
      \"(yes/no)?\" {send \"yes\r\";exp_continue}
      \"password:\" {send \"${EXPWD}\r\";exp_continue}
      \"Permission denied\" {send_user \"[exec  -e Erro:Wrong \n];exit\"}
      \"]*\" {send \"\r\"}
      \">*\" {send \"\r\"}
    }
  "
}

#拷贝本地文件到远程
EXPECT_CP_L(){
  local EXUSR=${1}
  local EXHOST=${2}
  local EXPWD=${3}
  local L_FILE=${4}
  local R_FILE=${5}

  expect -c "
    set timeout 300
    spawn scp -qr ${L_FILE} ${EXUSR}@${EXHOST}:${R_FILE}
    expect {
      \"not known\" {send_user \"[exec  -e Erro:Host not known\n];exit\"}
      \"Connection refused\" {send_user \"[exec  -e Erro:Connection refused\n];exit\"}
      \"(yes/no)?\" {send \"yes\r\";exp_continue}
      \"password:\" {send \"${EXPWD}\r\";exp_continue}
      \"Permission denied\" {send_user \"[exec  -e Erro:Wrong passwd\n];exit\"}
      \"]*\" {send \"\r\"}
      \">*\" {send \"\r\"}
    }
  "
}
Bash 远程拷贝文件的函数

Linux 使用 autojump 直达目录

介绍这款神器之前,先来确认一个问题。在 的使用过程中,如何快速地到达指定目录?

很多人肯定会说,使用 tab 补全大法啊,笨!

嗯,没错,在没认识到 之前,我也是这么想的,但熟悉使用过这款神器后,才明白什么叫所达即所想。也就是无需考虑中间还有多少层目录,你只需要记住最终目录的名称,就可以快速进入该目录……

Continue reading “Linux 使用 autojump 直达目录”

Linux 使用 autojump 直达目录

OpenLDAP HA 部署

简介

这个不用说了,开源的轻量级目录访问协议。本次使用 MirrorMode 双主镜像的同步机制,实现两个节点间的数据同步。两台服务器互相以推的方式实现数据的同步。

OpenLDAP 同步条件

  1. OpenLDAP 服务器之间需要保持时间同步;
  2. OpenLDAP 软件包版本保持一致;
  3. OpenLDAP 节点之间域名可以相互解析;
  4. OpenLDAP 各节点需要提供完全一样的配置及目录树信息(BaseDn 需要保证一致)。

安装 OpenLDAP

建议使用 安装。

 sudo yum install -y openldap openldap-servers openldap-devel openldap-clients

OpenLDAP HA 配置

由于新版的 OpenLDAP 官方建议使用命令行或者导入 ldif 文件的方式进行配置,所以已经不再提供 slapd.conf 文件,但是对于初学者来说,使用 ldif 格式导入配置的方式有点难于理解。还好官方保留了导入 slapd.conf 的方式,使得我们可以自行创建 slapd.conf 文件再自行导入。

创建 slapd.conf 文件并填入以下内容:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/collective.schema
include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/pmi.schema
include     /etc/openldap/schema/ppolicy.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral  ://root.openldap.org

pidfile     /run/openldap/slapd.pid
argsfile    /run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /libexec/openldap
# moduleload    back_mdb.la
# moduleload    back_.la
modulepath  /usr/lib64/openldap
moduleload  syncprov.la

# Sample security restrictions
#  Require integrity protection (prevent hijacking)
#  Require 112-bit (3DES or better) encryption for updates
#  Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#  Root DSE: allow anyone to read it
#  Subschema (sub)entry DSE: allow anyone to read it
#  Other DSEs:
#      Allow self write access
#      Allow authenticated users read access
#      Allow anonymous users to authenticate
#  Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#  by self write
#  by users read
#  by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# MDB database definitions
#######################################################################

database    bdb
#maxsize       1073741824
suffix      "dc=,dc=com"
rootdn      "cn=Manager,dc=,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw      {SSHA}Owxt0yhMvU41kWbik1q2KfNygDPCuzdm
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/
# Indices to maintain
index   objectClass eq

## HA 配置

# 增加索引
index entryCSN,entryUUID eq
overlay syncprov
# 执行的条件,修改 1 个条目或满足 1 分钟时执行
syncprov-checkpoint 1 1
syncprov-sessionlog 100
# 保证唯一
serverID    1
# 同步进程 id,必须为三位数
syncrepl      rid=123
              # 另一节点的 
              provider=ldap://10.65.252.57
              # 认证方式为简单模式
              bindmethod=simple
              # 用户名
              binddn="cn=Manager,dc=magedu,dc=com"
              # 密码
              credentials=123456
              # BaseDn
              searchbase="dc=magedu,dc=com"
              schemachecking=off
              type=refreshAndPersist
              # 尝试时间,切记之间有空格
              retry="60  +"
mirrormode on

根据自己的环境修改 dc 以及 provider 的地址。

修改完成后,使用以下命令导入配置:

rm -rf /etc/openldap/slapd.d/*;
slaptest -f slapd.conf -F /etc/openldap/slapd.d;
chown -R ldap:ldap /etc/openldap/*;
service slapd restart;

另一节点的配置方式相同,注意更改 provider 的地址即可。

配置

建议使用 yum 安装 Keepalived:

sudo yum isntall -y keepalived;

修改 /etc/keepalived/keepalived.conf 配置如下:

! Configuration File for keepalived
global_defs {
    notification_email {
       xhh@cmss.chinamobile.com
    }
   notification_email_from  root@cmss.chinamobile.com
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   # 节点标识
   router_id ldap_A
}
vrrp_instance VI_1 {
   state MASTER
   # 使用的网卡为 eth0
   interface eth0
   # 虚拟路由标识,两个节点必须一致
   virtual_router_id 150
   # 优先级,两个节点的优先级高者为 master
   priority 100
   # 不抢占
   nopreempt
   advert_int 1
  authentication {
     auth_type PASS
     auth_pass 1111
  }
  virtual_ipaddress {
    10.133.47.180
  }
   notify_master "/etc/keepalived/to_master.sh"
   notify_backup "/etc/keepalived/to_master.sh"
   notify_stop "/etc/keepalived/to_stop.sh"
   track_script {
      check_ldap_server_status
   }
}
vrrp_script check_ldap_server_status {
  script "/etc/keepalived/check-ldap-server.sh"
  # 脚本检测时间间隔
  interval 3
  # 脚本返回失败值时 优先级权重减 5
  weight -5
}

check-ldap-server.sh 的内容为:

#!/bin/
ldapPid=$(ps -ef |grep slapd|grep -v grep|awk '{print $2}'|grep -v PID)
if [ "$ldapPid" == "" ]; then
   service keepalived stop
   exit 1
else
   exit 0
fi

to_master.sh 的内容为:

#!/bin/bash
service slapd start

to_stop.sh 的内容为:

#!/bin/bash
service slapd stop

另一节点的 Keepalived 配置方式相同,只需要修改以下三个字段的值即可:

router_id   ldap_B
state   BACKUP
priority    98  

更多的 Keepalived 配置可查看:《【转载】keepalived 工作原理和配置说明

配置完成后重启 Keepalived 即可:

service keepalived restart;
OpenLDAP HA 部署

CentOS 7 关闭 iptables 和 SELinux

6 换到 7,虽然服务管理命令从 service 换成了 systemctl,但总归是通用的。但今天在新装主机上关闭防火墙时,经历了以下错误:

[hzz@ ~]$ sudo service  stop
[sudo] password for hzz: 
Redirecting to /bin/systemctl stop  .service
Failed to stop .service: Unit .service not loaded.
[hzz@magedu ~]$ 

Continue reading “CentOS 7 关闭 iptables 和 SELinux”

CentOS 7 关闭 iptables 和 SELinux