2018-06-04 09:11:44    20    0    0

安装samba

  1. yum -y install samba samba-client

配置

  1. cd /etc/samba/
  2. 备份smb.conf
  3. cp smb.conf smb.conf.origin
  4. vim smb.conf
  5. service smb restart
  6. smbpasswd -a root
  7. vi /etc/samba/smbusers
  8. root = admin xxx bbb

smb.conf

  1. [global]
  2. interfaces = lo eth0 eth1
  3. log file = /var/log/samba/log.%m
  4. max log size = 50
  5. netbios name = SMBSERVER
  6. printcap name = cups
  7. security = USER
  8. server string = Samba Server Version %v
  9. smb passwd file = /etc/samba/smbpasswd
  10. username map = /etc/samba/smbusers
  11. idmap config * : backend = tdb
  12. cups options = raw
  13. max connections = 10
  14. [ossdata]
  15. admin users = root
  16. browseable = No
  17. comment = ossdata Directories
  18. inherit acls = Yes
  19. path = /ossdata/samba
  20. read only = No
  21. valid users = %S %D%w%S
  22. write list = root
  23. [printers]
  24. browseable = No
  25. comment = All Printers
  26. create mask = 0600
2018-06-04 09:00:09    17    0    0

配置NFS SERVER

  1. yum -y install nfs-utils
  2. vi /etc/idmapd.conf
  3. # line 5: uncomment and change to your domain name
  4. Domain = vdevops.org
  5. vi /etc/exports
  6. # write settings for NFS exports
  7. /home 10.1.1.0/24(rw,no_root_squash)
  8. systemctl start rpcbind nfs-server
  9. systemctl enable rpcbind nfs-server
  10. showmount -e #查看NFS共享的目录
  11. #防火墙开启情况下,做如下配置
  12. firewall-cmd --add-service=nfs --permanent
  13. firewall-cmd --reload
2018-06-02 11:02:25    15    0    0

安装ossfs

  1. wget http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/32196/cn_zh/1527232195135/ossfs_1.80.5_centos7.0_x86_64.rpm?spm=a2c4g.11186623.2.6.WVXUpG&file=ossfs_1.80.5_centos7.0_x86_64.rpm
  2. yum localinstall ossfs_1.80.5_centos7.0_x86_64.rpm

设置AccessKeyId

设置bucket name 和 AccessKeyId/Secret信息,将其存放在/etc/passwd-ossfs 文件中,注意这个文件的权限必须正确设置,建议设为640。

  1. echo my-bucket:my-access-key-id:my-access-key-secret > /etc/passwd-ossfs
  2. chmod 640 /etc/passwd-ossfs

将OSS bucket mount到指定目录。

  1. ossfs my-bucket my-mount-point -ourl=my-oss-endpoint

示例

  1. echo my-bucket:faint:123 > /etc/passwd-ossfs
  2. chmod 640 /etc/passwd-ossfs
  3. mkdir /tmp/ossfs
  4. ossfs my-bucket /tmp/ossfs -ourl=http://oss-cn-hangzhou.aliyuncs.com
2018-06-02 08:31:46    21    0    0

Installing Presto

Download the Presto server tarball

https://repo1.maven.org/maven2/com/facebook/presto/presto-server/0.203/presto-server-0.203.tar.gz

and unpack it. The tarball will contain a single top-level directory, presto-server-0.203, which we will call the installation directory.

Configuring Presto

Create an etc directory inside the installation directory. This will hold the following configuration:

  • Node Properties: environmental configuration specific to each node
  • JVM Config: command line options for the Java Virtual Machine
  • Config Properties: configuration for the Presto server
  • Catalog Properties: configuration for Connectors (data sources)

Node Properties

The node properties file, etc/node.properties, contains configuration specific to each node. A node is a single installed instance of Presto on a machine. This file is typically created by the deployment system when Presto is first installed. The follow

2017-12-18 01:32:42    16    0    0

Elasticsearch

installation

Elasticsearch requires at least Java 8

  1. java -version
  2. echo $JAVA_HOME
  3. curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.1.0.tar.gz
  4. tar -xvf elasticsearch-6.1.0.tar.gz
  5. cd elasticsearch-6.1.0/bin
  6. //install x-pack
  7. bin/elasticsearch-plugin install x-pack

configuration

  1. cluster.name: cluster-01
  2. node.name: node-01
  3. path.data: /home/elk/elasticsearch-6.1.0/data
  4. path.logs: /home/elk/elasticsearch-6.1.0/logs
  5. network.host: 0.0.0.0
  6. http.port: 9200
  7. discovery.zen.ping.unicast.hosts: ["103.29.70.96","139.162.88.149"]
  8. discovery.zen.minimum_master_nodes: 2

starting

  1. ./elasticsearch -d -p pidfile
  2. tail -100f ../logs/cluster-01.log

Set the passwords for all built-in users

  1. bin/x-pack/setup-passwords interactive
  2. Enter password for [elastic]:
  3. Reenter password for [elastic]:
  4. Enter password for [kibana]:
  5. Reenter password for [kibana]:
  6. Enter password for [logstash_system]:
  7. Reenter password for [logsta
2018-02-10 10:10:19    30    0    0

ZooKeeper Server Configuration

Create a service principal for the ZooKeeper server using the syntax: zookeeper/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate the ZooKeeper server with the Hadoop cluster. where: fully.qualified.domain.name is the host where the ZooKeeper server is running YOUR-REALM is the name of your Kerberos realm.

  1. kadmin.local
  2. addprinc -randkey zookeeper/fully.qualified.domain.name@YOUR-REALM.COM

Create a keytab file for the ZooKeeper server.

  1. kadmin
  2. kadmin: xst -k zookeeper.keytab zookeeper/fully.qualified.domain.name

Copy the zookeeper.keytab file to the ZooKeeper configuration directory on the ZooKeeper server host.

For a package installation, the ZooKeeper configuration directory is /etc/zookeeper/conf/. For a tar ball installation, the ZooKeeper configuration directory is /conf.

The owner of the zookeeper.keytab file should be the zookeeper user and the file

2018-02-10 10:09:44    16    0    0

Prerequisites

Kerberos

Note that if you are using Oracle Java, you will need to download JCE policy files for your Java version and copy them to $JAVA_HOME/jre/lib/security.

Create Kerberos Principals

If you are using the organization's Kerberos or Active Directory server, ask your Kerberos administrator for a principal for each Kafka broker in your cluster and for every operating system user that will access Kafka with Kerberos authentication (via clients and tools).
If you have installed your own Kerberos, you will need to create these principals yourself using the following commands:

  1. kadmin.local -q 'addprinc -randkey kafka/{hostname}@{REALM}'
  2. kadmin.local -q "ktadd -k /etc/security/keytabs/{keytabname}.keytab kafka/{hostname}@{REALM}"

Make sure all hosts can be reachable using hostnames

it is a Kerberos requirement that all your hosts can be resolved with their FQDNs.

Create keytab for broker

  1. [root@TE
2018-02-10 07:02:21    43    0    0

kerberos介绍

重要术语

  1. KDC

全称:key distributed center

作用:整个安全认证过程的票据生成管理服务,其中包含两个服务,AS和TGS

  1. AS

全称:authentication service

作用:为client生成TGT的服务

  1. TGS

全称:ticket granting service

作用:为client生成某个服务的ticket

  1. AD

全称:account database

作用:存储所有client的白名单,只有存在于白名单的client才能顺利申请到TGT

  1. TGT

全称:ticket-granting ticket

作用:用于获取ticket的票据

6.client

想访问某个server的客户端

  1. server

提供某种业务的服务

认证流程

title

图1展示了kerberos的认证流程,总体分为3步。

client与AS交互
client与TGS交互
client与server交互

kerberos为什么要采用3步交互的形式来完成安全认证,那就要从kerberos的使用场景说起。

相比kerberos,https可能更为熟悉一点,通过证书和非对称加密的方式,让客户端可以安全的访问服务端,但这仅仅是客户端安全,通过校验,客户端可以保证服务端是安全可靠的,而服务端却无法得知客户端是不是安全可靠的。这也是互联网的一种特性。而kerberos可以支持双向认证,就是说,可以保证客户端访问的服务端是安全可靠的,服务端回复的客户端也是安全可靠的。

想证明client和server都是可靠的,必然要引入第三方公证平台,这里就是AS和TGS两个服务。

  • client向kerberos服务请求,希望获取访问server的权限。kerberos得到了这个消息,首先得判断client是否是可信赖的,也就是白名单黑名单的说法。这就是AS服务完成的工作,通过在AD中存储黑名单和白名单来区分client。成功后,返回AS返回TGT给client。
  • client得到了TGT后,继续向kerberos请求,希望获取访问server的权限。kerbe
系统设置    2017-05-23 03:32:04    20    0    0

关闭firewall

  1. service firewalld stop
  2. chkconfig firewalld off

or

  1. systemctl stop firewalld.service
  2. systemctl disable firewalld.service

安装iptables

  1. yum install iptables-services
  2. service iptables start

清除规则

  1. vi /etc/sysconfig/iptables
  2. 注释掉如下两行
  3. #-A INPUT -j REJECT --reject-with icmp-host-prohibited
  4. #-A FORWARD -j REJECT --reject-with icmp-host-prohibited

本机端口转发

  1. iptables -t nat -A PREROUTING -p tcp --dport 21888 -j REDIRECT --to-ports 22888

如果需要本机也可以访问,则需要配置OUTPUT链(**特别注意:本机访问外网的端口会转发到本地,导致访不到外网,如访问yown.com,实际上是访问到本地,建议不做80端口的转发或者指定目的 -d localhost):

  1. iptables -t nat -A OUTPUT -d localhost -p tcp --dport 21888 -j REDIRECT --to-ports 22888

原因:
外网访问需要经过PREROUTING链,但是localhost不经过该链,因此需要用OUTPUT。

保存规则

  1. service iptables save

设定规则

清除预设表filter中的所有规则链的规则

  1. iptables -F
  2. iptables -L

保存配置

  1. iptables-save > /path/to/config
  2. # iptables-restore < /path/to/config
  3. service iptables restart

设定预设规则

  1. #对INPUT链,默认drop
  2. iptables -P INPUT DROP
  3. # 对于OUT
2017-11-20 21:37:02    31    0    0

Zookeeper注册中心安装

Zookeeper安装

Simple 监控中心安装

  1. wget wget https://codeload.github.com/alibaba/dubbo/tar.gz/dubbo-2.5.7
  2. tar zxvf dubbo-2.5.7
  3. cd dubbo-dubbo-2.5.7/
  4. mvn -Dmaven.test.skip=true clean install
  5. find . -name dubbo-monitor-simple*gz
  6. mkdir ~/dubbo-monitor
  7. mv ./dubbo-simple/dubbo-monitor-simple/target/dubbo-monitor-simple-2.5.7-assembly.tar.gz ~/dubbo-monitor
  8. cd ~/dubbo-monitor
  9. ./dubbo-simple/dubbo-monitor-simple/target/dubbo-monitor-simple-2.5.7-assembly.tar.gz
  10. tar zxvf dubbo-monitor-simple-2.5.7-assembly.tar.gz
  11. cd dubbo-monitor-simple-2.5.7
  12. #修改配置
  13. vi conf/dubbo.properties
  14. dubbo.registry.address=zookeeper://112.74.198.224:21888
  15. dubbo.protocol.host=0.0.0.0
  16. #启动
  17. cd bin
  18. ./start.sh
  19. ./bin/start.sh debug
  20. #总控入口:
  21. ./bin/server.sh start
  22. ./bin/server.sh stop
  23. ./bin/server.sh restart
  24. ./bin/server.sh debug
  25. ./bin/server.sh dump
  26. #命令行
  27. telnet 127.0.0.1 7070
  28. help
  29. echo status | nc -i 1 127.0.0.1 7070
  30. #访问
  31. http://127.0.0.1:8080

dubbo管理控制台

  1. find . -name dubbo-admin*war
  2. w
2/7