1、CLIENT TASK
- 作为DNS服务器域名解析测试的客户端,安装nslookup、dig命令行工具;
- 作为网站访问测试的客户端,安装firefox浏览器,curl命令行测试工具;
- 作为SSH远程登录测试客户端,安装ssh命令行测试工具;
- 作为SAMBA测试的客户端,使用图形界面文件浏览器测试,并安装smbclient工具;
- 作为FTP测试的客户端,安装lftp命令行工具;
- 作为防火墙规则效果测试客户端,安装ping命令行工具;
- 截图的时候请使用上述提到的工具进行功能测试。
# 网络
[root@client ~]# ip a
...
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:1e:4c:0f brd ff:ff:ff:ff:ff:ff
inet 10.10.100.4/24 brd 10.10.100.255 scope global noprefixroute dynamic ens32
[root@client ~]# ip route
default via 10.10.100.254 dev ens32 proto static metric 100
10.10.100.0/24 dev ens32 proto kernel scope link src 10.10.100.4 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
[root@client ~]# vim /etc/resolv.conf
# Generated by NetworkManager
search sdskills.com
nameserver 172.16.100.201
# DNS服务器域名解析,本域任意域名
[root@client ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@client ~]# vi /etc/yum.repos.d/a.repo
[a]
baseurl=file:///mnt
gpgcheck=0
[root@client ~]# yum install -y bind-utils
[root@client ~]# nslookup
> sdskills.com
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: sdskills.com
Address: 172.16.100.201
> Server01.sdskills.com
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: Server01.sdskills.com
Address: 172.16.100.201
> www.sdskills.com
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: www.sdskills.com
Address: 172.16.100.201
> web.sdskills.com
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: web.sdskills.com
Address: 172.16.100.254
> ftp.sdskills.com
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: ftp.sdskills.com
Address: 172.16.100.202
> mail.sdskills.com
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: mail.sdskills.com
Address: 172.16.100.202
> asadasd.sdskills.com
Server: 172.16.100.201
Address: 172.16.100.201#53
Name: asadasd.sdskills.com
Address: 172.16.100.201
# 当遇到无法解析的域名的时候,向skills.com申请更高的域名解析,在server04上面搭建了根域服务器,所有未知域名解析统一解析为Rserver所连接的Internet的ip地址或这Rserver.sdskills.com
[root@server01 ~]# nslookup
> a.b.c
Server: 172.16.100.201
Address: 172.16.100.201#53
Non-authoritative answer:
Name: a.b.c
Address: 172.16.100.254
Name: a.b.c
Address: 192.168.10.2
# 反向
> 172.16.100.201
201.100.16.172.in-addr.arpa name = sdskills.com.
201.100.16.172.in-addr.arpa name = www.sdskills.com.
201.100.16.172.in-addr.arpa name = Server01.sdskills.com.
> 172.16.100.254
254.100.16.172.in-addr.arpa name = web.sdskills.com.
> 172.16.100.202
202.100.16.172.in-addr.arpa name = mail.s=dskills.com.
202.100.16.172.in-addr.arpa name = ftp.sdskills.com.
# SSH测试
[root@client ~]# useradd -u 6666 -m -s /bin/bash Chinaskills23
[root@client ~]# su - Chinaskills23
[Chinaskills23@client ~]$ ssh-keygen -t rsa
# 或者ssh-keygen,ssh-copy-id root@ip地址
[Chinaskills23@client ~]$ cat id_rsa.pub > authorized_keys
[Chinaskills23@client ~]$ scp -r -P 3033 root@172.16.100.201:/root/.ssh/
[Chinaskills23@client ~]$ ssh -p 3033 root@172.16.100.201
*********************************
ChinaSkills 2022–CSK
Module C Linux
>>server01<<
>>CentOS Linux release 7.9.2009 (Core)<<
>> Sat Jun 10 21:29:44 CST 2023 <<
*********************************
[root@server01 ~]#
# ftp测试
[root@client ~]# yum install -y lftp
[root@client ~]# lftp -u webadmin,Chinaskills23 ftp.sdskills.com
lftp webadmin@ftp.sdskills.com:~> ls
lftp webadmin@ftp.sdskills.com:/> quote pwd
257 "/"
lftp webadmin@ftp.sdskills.com:~> put test.doc
put: Access failed: 550 Permission denied. (test.doc)
lftp webadmin@ftp.sdskills.com:/> put test.docx
put: Access failed: 550 Permission denied. (test.docx)
lftp webadmin@ftp.sdskills.com:/> put test.xlsx
put: Access failed: 550 Permission denied. (test.xlsx)
lftp webadmin@ftp.sdskills.com:/> put test.txt
lftp webadmin@ftp.sdskills.com:/>
lftp webadmin@ftp.sdskills.com:/> ls
-rw-r--r-- 1 1001 1001 0 Jun 22 13:21 test.txt
# 客户端打开第三个窗口显示无法登录
[root@client ~]# lftp -u webadmin,Chinaskills23 ftp.sdskills.com
lftp webadmin@ftp.sdskills.com:~> ls
`ls' at 0 [Delaying before reconnect: 29]
# 限制速度
lftp webadmin@ftp.sdskills.com:~> put test
`test' at 1671968 (1%) 97.6K/s eta:17m [Sending data/TLS]
2、RSERVER TASK
零、设置登录界面信息
[root@rserver ~]# vim /etc/profile.d/login.sh
#%-ns,n是缩进的大小,值越大,缩进越大,如没有%-ns,则没有缩进
#####Centos的
#uname -snrvm
printf "*********************************\n"
printf "%-2s ChinaSkills 2022–CSK\n"
printf "%-8s Module C Linux\n"
printf "\n"
printf "%-11s >>`hostname -s`<<\n"
printf ">>`cat /etc/system-release`<<\n"
printf ">> `date` <<\n"
printf "*********************************\n"
# 在ssh远程登录时,不记录最后一次登录日志
[root@rserver ~]# vim /etc/ssh/sshd_config
...
PrintMotd no
PrintLastLog no
# Uos的系统关闭本地控制台登录日志信息这样
root@Server04:~# vim /etc/pam.d/login
91行注释掉#session optional pam_lastlog.so
[root@rserver ~]# systemctl restart sshd
# 若删除本地登录最后一次登录日志则,第一次登录的时候无记录,但第二次登录的时候有记录
[root@rserver ~]# rm -rvf /var/log/lastlog
欢迎信息的显示顺序是
1、/etc/issue(登录前显示,只在本地显示)
# 清空/etc/issue内容,可以让本地登录的时候界面更加简洁
[root@rserver ~]# echo '' > /etc/issue
2、/etc/motd(登录后显示)常用于通告信息,如计划关机时间的警告等,登陆后的提示信息,Uos系统需要删除此文件
缺点是,现在许多用户登录系统时选择自动进入图形界面,所以这些信息往往看不到
3、/etc/profile(登陆后显示)
4、/etc/profile.d/ (登录后显示)
5、在sshd_config配置文件中定义,首先任意创建文件,然后在配置文件中写上文件的绝对路径
[root@rserver ~]# echo '这是测试' >> /etc/test.net
[root@rserver ~]# vim /etc/ssh/sshd_config
Banner /etc/test.net
[root@rserver ~]# systemctl restart sshd
一、NETWORK
请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名等。
# 关闭防火墙selinux
[root@rserver ~]# systemctl stop firewalld
[root@rserver ~]# systemctl disable firewalld
[root@rserver ~]# setenforce 0
[root@rserver ~]# hostnamectl set-hostname rserver
[root@rserver ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.100.254 Rserver.sdskills.com Rserver
192.168.10.2 Rserver.skills.com Rserver
[root@rserver ~]# hostname
rserver
[root@rserver ~]# hostname -f
Rserver.skills.com
[root@rserver ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens32
...
BOOTPROTO=static
...
ONBOOT=yes
IPADDR=172.16.100.254
PREFIX=25
[root@rserver ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
...
BOOTPROTO=static
...
ONBOOT=yes
IPADDR=192.168.10.2
PREFIX=28
[root@rserver ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens34
...
BOOTPROTO=static
...
ONBOOT=yes
IPADDR=10.10.100.254
PREFIX=24
二、squid
安装squid服务,开启路由转发,为当前实验环境提供路由功能。
1、代理服务器概述
代理上网(传统代理,透明代理)
网站静态页面缓存加速(反向代理)
2、代理的工作机制
代替客户机向网站请求数据,从而隐藏用户的真实IP地址
将获得的网页数据(静态web元素)保存到缓存中并发送给客户机,以便下次请求相同的数据时快速响应
3、代理的类型
传统代理:适用于Internet,需明确指定服务端
透明代理: 客户机不需指定代理服务器的地址和端口,而是通过默认路由、防火墙策略将Web访问重定向给代理服务器处理
反向代理:如果 Squid 反向代理服务器中缓存了该请求的资源,则将该请求的资源直接返回给客户端;否则反向代理服务器将向后台的 WEB 服务器请求资源,然后将请求的应答返回给客户端,同时也将该应答缓存在本地,供下一个请求者使用
4、安装squid
# Centos
[root@rserver ~]# yum install -y vim squid
# UOS
apt-get install squid
5、配置squid
注释掉所有的http_access
...
#http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
#http_access allow localhost manager
#http_access deny manager
...
dns_v4_first on # 若不添加则查看日志文件,全是503,代理不成功
http_access allow all # 修改访问权限,默认拒绝所有,修改为允许所有IP
6、启动服务
# 检查配置文件
[root@rserver ~]# squid -k parse
# 重新加载配置文件
[root@rserver ~]# squid -k reconfigure
[root@rserver ~]# systemctl enable --now squid
7、查看端口号
[root@rserver ~]# ss -ntulp |grep squid
udp UNCONN 0 0 *:46870 *:* users:(("squid",pid=10492,fd=8))
udp UNCONN 0 0 [::]:53336 [::]:* users:(("squid",pid=10492,fd=6))
tcp LISTEN 0 128 [::]:3128 [::]:* users:(("squid",pid=10492,fd=11))
四、DHCP
- 为客户端分配IP范围是10.10.100.1-10.10.100.50;
- DNS:按照实际需求配置DNS服务器地址选项;
- GATEWAY:按照实际需求配置网关地址选项。
# 安装
[root@rserver ~]# yum install -y dhcp
[root@rserver ~]# cp -rvf /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
[root@rserver ~]# vim /etc/dhcp/dhcpd.conf
default-lease-time 3600;
max-lease-time 7200;
log-facility local7;
# A slightly different configuration for an internal subnet.
subnet 10.10.100.0 netmask 255.255.255.0 {
range 10.10.100.1 10.10.100.50;
option domain-name-servers 172.16.100.201;
option domain-name "sdskills.com";
option routers 10.10.100.254;
}
[root@rserver ~]# systemctl enable --now dhcpd
# 查看服务端分发的租约
[root@rserver CA]# cat /var/lib/dhcpd/dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.5
lease 10.10.100.3 {
starts 0 2023/06/04 08:08:15;
ends 0 2023/06/04 08:18:15;
tstp 0 2023/06/04 08:18:15;
cltt 0 2023/06/04 08:08:15;
binding state free;
hardware ethernet 00:0c:29:1e:4c:0f;
}
server-duid "\000\001\000\001,\016\301\027\000\014)+<\305";
lease 10.10.100.3 {
starts 0 2023/06/04 08:51:17;
ends 0 2023/06/04 09:51:17;
cltt 0 2023/06/04 08:51:17;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 00:0c:29:1e:4c:0f;
client-hostname "client";
}
# 查看客户端获得的租约
[root@client ~]# cat /var/lib/dhclient/dhclient.leases
lease {
interface "ens32";
fixed-address 10.10.100.3;
option subnet-mask 255.255.255.0;
option routers 10.10.100.254;
option dhcp-lease-time 600;
option dhcp-message-type 5;
option domain-name-servers 192.168.10.4;
option dhcp-server-identifier 10.10.100.254;
option domain-name "skills.com";
renew 0 2023/06/04 05:01:22;
rebind 0 2023/06/04 05:05:08;
expire 0 2023/06/04 05:06:23;
}
...`
五、SSH
- 安装SSH
- 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;
- 配置client只能在Chinaskills23用户环境下可以免秘钥登录,端口号为2022,并且拥有root控制权限。
[root@rserver ~]# vim /etc/hosts.deny
sshd:ALL:Deny
[root@rserver ~]# vim /etc/hosts.allow
sshd:10.10.100.3:Allow
[root@rserver ~]# vim /etc/ssh/sshd_config
...
Port 2022
[root@rserver ~]# systemctl restart sshd
[root@client ~]# useradd -u 6666 -m -s /bin/bash Chinaskills23
[root@client ~]# echo "Chinaskills23" | passwd --stdin Chinaskills23
[root@client ~]# su - Chinaskills23
[Chinaskills23@client ~]$ ssh-keygen
[Chinaskills23@client ~]$ ssh-copy-id -p 2022 root@10.10.100.254
[Chinaskills23@client ~]$ ssh -p 2022 root@10.10.100.254 # 免密登录
[Chinaskills23@client ~]$ crtl+D
六、CA(证书颁发机构)
- CA根证书路径/CA/cacert.pem;
- 签发数字证书,颁发者信息:
- 国家 = CN
- 单位 = Inc
- 组织机构 = www.skills.com
- 公用名 = Skill Global Root CA
- 创建用户组ldsgp,将zsuser、lsusr、wuusr添加到组内。
1、安装证书服务
[root@rserver ~]# yum -y install openssl*
2、配置根证书服务器
[root@rserver ~]# vim /etc/pki/tls/openssl.cnf # 编辑openssl.conf配置文件
...
dir = /CA
...
certificate = $dir/cacert.pem
...
private_key = $dir/private/csk-ca.pem
[root@rserver CA]# mkdir -pv /CA # 创建目录
[root@rserver CA]# cp -prvf /etc/pki/CA/* /CA/ # 把etc/pki/CA/*目录下的所有目录或者文件复制到/csk-rootca目录里面
[root@rserver CA]# cd /CA
[root@rserver CA]# touch index.txt # 记录颁发证书的信息
[root@rserver CA]# echo 01 > serial # 记录证书编号
[root@rserver CA]# openssl genrsa -out private/csk-ca.pem 2048 # 生成私钥
3、签发自签名证书
[root@rserver CA]# openssl req -new -x509 -days 3650 -key private/csk-ca.pem -out cacert.pem
...
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills.com
Common Name (eg, your name or your server's hostname) []:Skill Global Root CA
Email Address []:
4、查看根证书信息
[root@rserver CA]# openssl x509 -text -in cacert.pem -noout | grep Subject
Subject: C=CN, L=Default City, O=Inc, OU=www.skills.com, CN=Skill Global Root CA
Subject Public Key Info:
X509v3 Subject Key Identifier:
到此CA证书颁发机构就配置完成!!!!
扩展一些CA证书知识
CA证书后缀名代表的含义:
证书(Certificate) - *.cer *.crt
私钥(Private Key) - *.key
证书签名请求(Certificate signing request) - *.csr
证书吊销列表(Certificate Revocation List) - *.crl
dir----存放证书的目录
certs----存储签发的数字证书
database------记录颁发证书的信息(通常要创建index.txt文件)
serial-----记录证书的编号(创建serial文件,内容为01)
private----存放CA证书服务器的私钥
-new: 生成新证书签署请求
-x509: 专用于 CA 生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out: 证书的保存路径
5、创建用户组
[root@rserver CA]# groupadd ldsgp
# 也能使用usermod,gpasswd等
[root@rserver CA]# useradd -u 1001 -m -g ldsgp zsuser
[root@rserver CA]# useradd -u 1002 -m -g ldsgp lsusr
[root@rserver CA]# useradd -u 1003 -m -g ldsgp wuusr
[root@rserver CA]# echo "Chinaskills23" | passwd --stdin zsuser
Changing password for user zsuser.
passwd: all authentication tokens updated successfully.
[root@rserver CA]# echo "Chinaskills23" | passwd --stdin lsusr
Changing password for user lsusr.
passwd: all authentication tokens updated successfully.
[root@rserver CA]# echo "Chinaskills23" | passwd --stdin wuusr
Changing password for user wuusr.
passwd: all authentication tokens updated successfully.
[root@rserver CA]# id zsuser
uid=1001(zsuser) gid=1002(zsuser) groups=1001(ldsgp)
[root@rserver CA]# id lsusr
uid=1002(lsusr) gid=1003(lsusr) groups=1001(ldsgp)
[root@rserver CA]# id wuusr
uid=1003(wuusr) gid=1004(wuusr) groups=1001(ldsgp)
七、Web Proxy
- 安装Nginx组件;
- 配置文件名为proxy.conf,放置在/etc/nginx/conf.d/目录下;
- 为www.chinaskills.cn配置代理前端,通过HTTPS的访问后端Web服务器;
- 后端服务器日志内容需要记录真实客户端的IP地址;
- 缓存后端Web服务器上的静态页面;
- 创建服务监控脚本:/shells/chkWeb.sh;
- 编写脚本监控公司的网站运行情况;
- 脚本可以在后台持续运行;
- 每隔3S检查一次网站的运行状态,如果发现异常尝试3次;
- 如果确定网站无法访问,则返回用户“网站正在维护中,请您稍后再试”的页面。
# 后端web服务器配置,必须配置,不然无法记录代理前端的ip地址
[root@server01 ~]# vim /etc/httpd/conf/httpd.conf
# 在%h后面添加%{x-real-ip}i
LogFormat "%h %{x-real-ip}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %{x-real-ip}i %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %{x-real-ip}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
[root@server01 ~]# vim /etc/httpd/conf.d/web.conf
<VirtualHost *:443>
DocumentRoot "/data/share/htdocs/skills"
ServerName rserver.sdskills.com
SSLEngine on
SSLCertificateFile /CA/cacert.pem
SSLCertificatekeyFile /CA/https.key
<Directory "/data/share/htdocs/skills">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
[root@server01 ~]# systemctl restart httpd
# 若没有配置缓存后端web服务器上的静态页面,则每次刷新都会产生新的日志信息
[root@server01 ~]# tail -f /var/log/httpd/access_log
172.16.100.254 10.10.100.4 - zsuser [21/Jun/2023:22:08:21 +0800] "GET /staff.html HTTP/1.0" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
# 本机
# 缓存静态内容*可以改为location ~.*\.(gif|jpg|png|css|js)(.*)
[root@rserver ~]# vim /etc/nginx/conf.d/proxy.conf
proxy_cache_path /tmp/cache levels=1:2 keys_zone=web:500m;
server {
listen 80;
server_name web.sdskills.com;
return 301 https://web.sdskills.com;
}
server {
server_name web.sdskills.com;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/sdskills.crt; # 指定ssl证书和私钥的路径
ssl_certificate_key /etc/nginx/ssl/sdskills.key;
location ~.*\.* {
proxy_pass https://www.sdskills.com;
proxy_set_header x-real-ip $remote_addr;
proxy_cache web;
#add_header wall "this is cache web";
proxy_set_header Host $host;
proxy_cache_valid 200 302 301 24h;
proxy_cache_valid any 5m;
}
}
[root@rserver ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@rserver ~]# /sbin/nginx -s reload
[root@rserver ~]# systemctl restart nginx
# 本机直接记录真实的客户端ip地址
# 创建缓存目录
[root@rserver ~]# tail -f /var/log/nginx/access.log
10.10.100.4 - - [21/Jun/2023:22:15:52 +0800] "GET /success.txt HTTP/1.1" 404 153 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" "-"
[root@rserver ~]# mkdir -pv /shells
mkdir: created directory ‘/shells’
# 快速拿分写法
#!/bin/bash
while true;do
curl -Ik https://web.chinaskills.cn
sleep 3
done
[root@rserver ~]# vim /shells/chkWeb.sh
# 自己学习写的
#!/bin/bash
url=https://web.sdskills.com
while true;do
code=`curl -s -k $url -I |grep 'OK' |awk '{print $2}'`
sleep 3
if [[ $code -eq 200 ]];then
echo "$url 正常打开 3s"
else
for i in 1 2 3;do
code=`curl -s -k $url -I |grep 'OK' |awk '{print $2}'`
if [[ $code -eq 200 ]];then
echo "$url 正常打开"
else
echo "$url 异常 $i"
if [[ $i -eq 3 ]];then
echo "网站正在维护中,请您稍后再试"
fi
fi
done
fi
done
3、SERVER01 TASK
一、NETWORK
请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。
[root@server01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32
...
BOOTPROTO=static
...
ONBOOT=yes
IPADDR=172.16.100.201
PREFIX=25
GATEWAY=172.16.100.254
[root@server01 ~]# hostnamectl set-hostname server01
[root@server01 ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@server01 ~]# yum install -y vim
[root@server01 ~]# vim /etc/hosts
...
172.16.100.201 Server01.sdskills.com Server01
[root@server01 ~]# vim /etc/resolv.conf
nameserver 192.168.10.4
二、DISK(RAID5)
- 在虚拟机上添加4个1G的硬盘;
- 创建raid5,其中一个作为热备盘,设备名为md0;
- 将md0设置为LVM,设备为/dev/vg01/lv01;
- 格式化为ext4文件系统;
- 开机自动挂载到/data目录。
[root@server01 ~]# yum install -y mdadm
[root@server01 ~]# mdadm -Cv /dev/md0 -l 5 -n 3 /dev/sdb /dev/sdc /dev/sdd -x 1 /dev/sde
mdadm: layout defaults to left-symmetric
mdadm: layout defaults to left-symmetric
mdadm: chunk size defaults to 512K
mdadm: size set to 1046528K
mdadm: Defaulting to version 1.2 metadata
mdadm: array /dev/md0 started.
[root@server01 ~]# mdadm -Ds /dev/md0
ARRAY /dev/md0 metadata=1.2 spares=1 name=server01:0 UUID=16e696e4:3a832db8:001ab590:059f7a76
[root@server01 ~]# mdadm -Dv /dev/md0
\/dev/md0:
Version : 1.2
Creation Time : Sun Jun 4 17:04:12 2023
Raid Level : raid5
Array Size : 2093056 (2044.00 MiB 2143.29 MB)
Used Dev Size : 1046528 (1022.00 MiB 1071.64 MB)
Raid Devices : 3
Total Devices : 4
Persistence : Superblock is persistent
Update Time : Sun Jun 4 17:04:18 2023
State : clean
Active Devices : 3
Working Devices : 4
Failed Devices : 0
Spare Devices : 1
Layout : left-symmetric
Chunk Size : 512K
Consistency Policy : resync
Name : server01:0 (local to host server01)
UUID : 16e696e4:3a832db8:001ab590:059f7a76
Events : 18
Number Major Minor RaidDevice State
0 8 16 0 active sync /dev/sdb
1 8 32 1 active sync /dev/sdc
4 8 48 2 active sync /dev/sdd
3 8 64 - spare /dev/sde
# 保存此配置文件
echo "DEVICE /dev/sd{b,c,d,e}" >> /etc/mdadm.conf
echo "`mdadm -Ds`" >> /etc/mdadm.conf
# 查看RAID状态
cat /proc/mdstat
mdadm -Dv /dev/md0
# 设置成LVM
[root@server01 ~]# vgcreate vg01 /dev/md0
Physical volume "/dev/md0" successfully created.
Volume group "vg01" successfully created
[root@server01 ~]# lvcreate -n lv01 -L 1.99G vg01
# 格式化并挂载
[root@server01 ~]# mkfs.ext4 /dev/vg01/lv01
[root@server01 ~]# mkdir -pv /data
[root@server01 ~]# chmod -R 775 /data/
[root@server01 ~]# blkid /dev/vg01/lv01
/dev/vg01/lv01: UUID="d94c2d3a-5656-4c28-9b1a-a336028b4674" TYPE="ext4"
[root@server01 ~]# echo 'UUID="d94c2d3a-5656-4c28-9b1a-a336028b4674"' /data/ ext4 defaults 0 0 >> /etc/fstab
[root@server01 ~]# mount -a
[root@server01 ~]# df -hT
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 898M 0 898M 0% /dev
tmpfs tmpfs 910M 0 910M 0% /dev/shm
tmpfs tmpfs 910M 9.5M 900M 2% /run
tmpfs tmpfs 910M 0 910M 0% /sys/fs/cgroup
/dev/mapper/centos-root xfs 37G 1.4G 36G 4% /
/dev/sda1 xfs 1014M 138M 877M 14% /boot
tmpfs tmpfs 182M 0 182M 0% /run/user/0
/dev/mapper/vg01-lv01 ext4 1.0G 2.7M 951M 1% /data
三、NFS
- 共享/data/share目录;
- 用于存储server01主机的web数据;
- 仅允许service01主机访问该共享。
[root@server01 ~]# mkdir -pv /data/share
[root@server01 ~]# chmod o+w /data/share/
[root@server01 ~]# ll -d /data/share/
drwxr-xrwx 2 root root 4096 Jun 6 16:10 /data/share/
[root@server01 ~]# yum install -y nfs-utils
[root@server01 ~]# vim /etc/exports
/data/share 172.16.100.201/25(rw,sync,no_root_squash)
[root@server01 ~]# systemctl enable --now rpcbind nfs nfs-server
[root@server01 ~]# exportfs -rav
exporting 172.16.100.201/25:/data/share
[root@server01 ~]# showmount -e 172.16.100.201
Export list for 172.16.100.201:
/data/share 172.16.100.201/25
[root@server01 ~]# df -hT
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 898M 0 898M 0% /dev
tmpfs tmpfs 910M 0 910M 0% /dev/shm
tmpfs tmpfs 910M 9.5M 900M 2% /run
tmpfs tmpfs 910M 0 910M 0% /sys/fs/cgroup
/dev/mapper/centos-root xfs 37G 1.4G 36G 4% /
/dev/sda1 xfs 1014M 138M 877M 14% /boot
tmpfs tmpfs 182M 0 182M 0% /run/user/0
/dev/mapper/vg01-lv01 ext4 1.0G 2.7M 951M 1% /data
四、DNS
- 安装DNS服务相关软件包;
- 建立sdskills.com域,为所有除Internet区域的主机或服务器建立正\反的域名解析;
- 当出现无法解析的域名时,向域skills.com申请更高层次的解析。
[root@server01 ~]# yum install -y bind bind-utils bind-chroot
[root@server01 named]# vim /etc/named.conf
...
listen-on port 53 { any; };
#listen-on-v6 port 53 { ::1; };
allow-query { 10.10.100.0/24;172.16.100.128/25; };
forward first;
forwarders { 192.168.10.4; };
...
recursion yes;
dnssec-enable no;
dnssec-validation no;
[root@server01 named]# vim /etc/named.rfc1912.zones
...
zone "sdskills.com" IN {
type master;
file "sdskills.com.zx";
allow-update { none; };
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "sdskills.com.fx";
allow-update { none; };
};
[root@server01 named]# cp -a /var/named/named.localhost /var/named/sdskills.com.zx
[root@server01 named]# cp -a /var/named/named.loopback /var/named/sdskills.com.fx
[root@server01 named]# vim /var/named/sdskills.com.zx
$TTL 1D
@ IN SOA sdskills.com sdskills.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS Server01.sdskills.com.
Server01 A 172.16.100.201
@ A 172.16.100.201
@ MX 10 sdskills.com.
www A 172.16.100.201
rserver A 172.16.100.254
ftp A 172.16.100.202
* A 172.16.100.201
[root@server01 named]# vim sdskills.com.fx
$TTL 1D
@ IN SOA sdskills.com root.sdskills.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS Server01.sdskills.com.
201 PTR Server01.sdskills.com.
@ A 172.16.100.201
@ MX 10 sdskills.com.
201 PTR sdskills.com.
201 PTR www.sdskills.com.
254 PTR rserver.sdskills.com.
202 PTR ftp.sdskills.com.
[root@server01 named]# systemctl enable --now named
[root@server01 named]# vim /etc/resolv.conf
nameserver 172.16.100.201
六、SSH
- 安装SSH
- 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;
- 配置client只能在Chinaskills23用户环境下可以免秘钥登录,端口号为3033,并且拥有root控制权限;
# 第一种配置在ssh主配置文件中
[root@server01 ~]# vim /etc/ssh/sshd_config
Port 3033
...
AllowUsers *@10.10.100.*
...
PubkeyAuthentication yes
[root@server01 ~]# systemctl restart sshd
# 第二种配置在主机允许和拒绝中配置
[root@server01 ~]# vim /etc/hosts.deny
sshd:ALL:Deny
[root@server01 ~]# vim /etc/hosts.allow
sshd:10.10.100.*:Allow
[root@server01 ~]# systemctl restart sshd
[root@server01~]# mkdir -pv ~/.ssh
七、DBMS
- 在Server01上完成MariaDB数据库的安装,添加数据库root用户密码为Chinaskills23
- 安装MariaDB数据库服务器组件;
- MariaDB数据库管理员信息:User: root/Password: Chinaskills23
- 安装MariaDB WEB管理面板“phpMyAdmin”,通过apache进行发布
- 安装phpMyAdmin,MariaDB的web管理面板组件;
- 安装apache,配置php环境,用于发布phpMyAdmin;
[root@server01 ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@server01 ~]# yum install -y mariadb-server php php-mysql php-mbstring
[root@server01 ~]# systemctl enable --now mariadb
echo "
y
Chinaskills23
Chinaskills23
y
n
y
y
"|mysql_secure_installation
[root@server01 phpMyAdmin]# mysql -uroot -pChinaskills23
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.68-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
# 开启root用户远程登录
MariaDB [(none)]> grant all privileges on *.* to root@'%' identified by 'Chinaskills23';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> quit
Bye
[root@server01 ~]# yum install -y unzip.x86_64
[root@server01 ~]# unzip phpMyAdmin-4.4.15.10-all-languages.zip -d /data/share/htdocs/skills/
[root@server01 ~]# chown -R webuser:webuser /data/share/htdocs/skills/phpMyAdmin
# 非常重要,若没有写入权限则导致无法正常访问,因为当前运行apache的用户为webuser,所以要该权限
[root@server01 ~]# chown -R webuser:webuser /var/lib/php/session/
[root@server01 ~]# vim /data/share/htdocs/skills/phpMyAdmin/libraries/config.default.php
# 数据库用户名
$cfg['Servers'][$i]['user'] = 'root';
...
# 数据库密码
$cfg['Servers'][$i]['password'] = 'Chinaskills23';
八、SDN服务
- 安装opendaylight、mininet、Ovs软件平台。
- 启动OpenDayLight的kara程序,安装如下组件:odl-restconf、odl-l2switch-switch-ui、odl-mdsal-apidocs、odl-dluxapps-applications。
- 使用Mininet和OpenVswitch构建拓扑,连接ODL的6653端口如下拓扑结构:
- 在浏览器上可以访问ODL管理页面查看网元拓扑结构。
- 通过OVS手工下发流表,H1可以ping通H3,H1、H3无法ping通H2。
- H1启动HTTP-Server功能,WEB端口为8080,H3作为HTTP-Client,获取H1的html网页配置文件。
1、上传所需要的软件包
2.解压和安装软件包
[root@server01 bin]# mount -t auto -o loop /dev/sr0 /mnt/
[root@server01 ~]# yum -y install java-1.8.0-openjdk net-tools
[root@server01 ~]# rpm -ql java-1.8.0-openjdk #查看是否安装java包或路径
[root@server01 ~]# yum -y install openvswitch-2.5.0-2.el7.x86_64.rpm python-networkx-core-1.8.1-12.el7.noarch.rpm python-networkx-1.8.1-12.el7.noarch.rpm mininet-2.2.2-2.el7.x86_64.rpm telnet
[root@server01 ~]# systemctl enable --now openvswitch.service
复制/usr/lib/jvm/java-1.8.0openjdk-1.8.0.262.b10-1.el7.x86_64/jre/到并且编辑/etc/profile/文件(在最后一行添加)
重新加载profile文件
3.启动OpenDayLight和启动karaf,并安装组件
[root@server01 ~]# unzip distribution-karaf-0.6.0-Carbon.zip
[root@server01 ~]# cd distribution-karaf-0.6.0-Carbon/bin
opendaylight-user@root>feature:install odl-restconf
opendaylight-user@root>feature:install odl-l2switch-switch-ui
opendaylight-user@root>feature:install odl-mdsal-apidocs
opendaylight-user@root>feature:install odl-dluxapps-applications
4、构建拓扑结构
一、命令创建拓扑图
mn --controller=remote,ip=172.16.100.201,port=6653 --topo=tree,1,3 --switch=ovs,protocols=OpenFlow10
二、python程序编写拓扑图
from mininet.topo import Topo #导入mininet.topo模块里面的Topo成员
class MyTopo(Topo): #定义类名引入topo成员
def __init__(self): #通过访问self的形式,实现了:给下面实例中添加Topo变量
Topo.__init__(self) #给Topo赋了初值
#CREATE SWITCH
s1 = self.addSwitch('s1')
#CREATE HOST
H1 = self.addHost('h1')
H2 = self.addHost('h2')
H3 = self.addHost('h3')
#LINK HOST
self.addLink(s1,H1)
self.addLink(s1,H2)
self.addLink(s1,H3)
topos = {'mytopo':(lambda:MyTopo())}
查看拓扑结构,默认用户名密码为admin(http://172.16.100.201:8181/index.html#/login)
5.按照题目下发流表,并测试
sh ovs-ofctl add-flow s1 in_port=2,actions=drop
6.配置HTTP-Server服务,端口号为8080
先在distribution-karaf-0.6.0-Carbon/bin/目录下创建一个HTML文件
h1 python -m SimpleHTTPServer 8080 & #h1上启用http服务,端口号为8080
4、SERVER02 TASK
一、NETWORK
- 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。
[root@server02 ~]# systemctl disable --now firewalld
[root@server02 ~]# iptables -F
[root@server02 ~]# iptables -X
[root@server02 ~]# iptables -Z
[root@server02 ~]# iptables-save
# Generated by iptables-save v1.4.21 on Mon Jun 12 21:47:43 2023
*filter
:INPUT ACCEPT [18:1584]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:1392]
COMMIT
# Completed on Mon Jun 12 21:47:43 2023
[root@server02 ~]# setenforce 0
setenforce: SELinux is disabled
[root@server02 ~]# vi /etc/selinux/config
SELINUX=disabled
[root@server02 ~]# hostnamectl set-hostname server02
[root@server02 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.100.202 Server02.sdskills.com Server02
[root@server02 ~]# hostname -s
server02
[root@server02 ~]# hostname -f
Server02.sdskills.com
[root@server02 ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens32
BOOTPROTO=static
ONBOOT=yes
IPADDR=172.16.100.202
PREFIX=25
GATEWAY=172.16.100.254
[root@server02 ~]# vi /etc/resolv.conf
nameserver 172.16.100.201
二、FTP
- 禁止使用不安全的FTP,请使用“CSK Global Root CA”证书颁发机构,颁发的证书,启用FTPS服务;
- 用户webadmin,登录ftp服务器,根目录为/webdata/;
- 登录后限制在自己的根目录;
- 允许WEB管理员上传和下载文件,但是禁止上传后缀名为.doc .docx .xlsx的文件。
- 限制用户的下载最大速度为100kb/s;最大同一IP在线人数为2人;
- 用于通过工具或者浏览器下载的最大速度不超过100kb/s
- 一个IP地址同时登陆的用户进程/人数不超过2人。
1、安装vsftpd服务
[root@server02 ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@server02 ~]# vi /etc/yum.repos.d/a.repo
[d]
baseurl=file:///mnt
gpgcheck=0
[root@server02 ~]# yum install -y vsftpd vim
2、创建本地用户
# 执行以下来创建用户并设置各自的密码
[root@server02 ~]# useradd webadmin
[root@server02 ~]#echo 'Chinaskills23'|passwd --stdin webadmin
Changing password for user webadmin.
passwd: all authentication tokens updated successfully.
[root@server02 ~]# mkdir -pv /webdata
[root@server02 ~]# chown webadmin:webadmin /webdata
3、结合SSL/TLS实现加密通信
注意,使用CA证书颁发机构生成服务私钥及CA证书
# 首先创建ssl目录,然后在CA证书颁发机构上面生成vsftpd服务私钥
[root@server02 ~]# mkdir -pv /etc/vsftpd/ssl
[root@server02 ~]# umask 077;openssl genrsa -out vsftpd.key 2048
Generating RSA private key, 2048 bit long modulus
...........................+++
......+++
e is 65537 (0x10001)
# 接下来生成证书签署请求
[root@server02 ~]# openssl req -new -key vsftpd.key -out vsftpd.csr
CN
China
BeiJing
skills
Operations Departments
ftp.chinaskills.cn
无
无
无
# CA签署请求
[root@server02 ~]# openssl x509 -req -days 3650 -in vsftpd.csr -CA /csk-rootca/csk-ca.pem -CAkey /csk-rootca/private/csk-ca.pem -CAcreateserial -out vsftpd.crt
[root@server02 ~]# scp vsftpd.* 192.168.100.200:/etc/vsftpd/ssl/
4、编辑主配置文件
[root@server02 ~]# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES # 开启本地用户
local_root=/webdata # 系统用户的数据目录
write_enable=YES # 开启本地用户写入
local_umask=022 # 本地用户的umask值
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
#ftpd_banner=Welcome to blah FTP service.
chroot_local_user=YES # 限制所有用户在自己的主目录下,设置为NO的话,用户可以访问任意目录
allow_writeable_chroot=YES # 允许受限用户的写权限,不然会报错
#chroot_list_enable=YES # 开启限制用户的列表
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list # 限制用户列表的绝对路径
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd # PAM文件名称
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
listen_port=21
idle_session_timeout=300
guest_enable=YES
guest_username=vsftpd
user_config_dir=/etc/vsftpd/vconf
data_connection_timeout=1
virtual_use_local_privs=YES
deny_file={*.doc,*.docx,*.xlsx} # 禁止为这些结尾的文件
accept_timeout=5
connect_timeout=1
ssl_enable=YES
ssl_sslv3=YES # 若错误改成NO
ssl_tlsv1=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
local_max_rate=100000
max_clients=2
# userlist_enable=YES # 开启用户作用名单文件功能
# userlist_deny=NO # 关闭用户列表中的禁止登录,就是设置白名单
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1_2=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
debug_ssl=YES
# chown_username=username 设置匿名用户上传文件的所有者
5、开启服务
[root@server02 ~]# systemctl enable --now vsftpd
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service ¡ú /usr/lib/systemd/system/vsftpd.service.
6、安装Lftp
[root@client ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@client ~]# yum install -y lftp
7、设置为不检查证书
[root@client ~]# echo "set ssl:verify-certificate no" >> /etc/lftp.conf
8、测试
[root@client ~]# touch test.doc test.docx test.xlsx test.txt
[root@client ~]# lftp -u webadmin,Chinaskills23 ftp.sdskills.com
lftp webadmin@ftp.sdskills.com:~> ls
lftp webadmin@ftp.sdskills.com:/> quote pwd
257 "/"
lftp webadmin@ftp.sdskills.com:/> put test.doc
put: Access failed: 550 Permission denied. (test.doc)
lftp webadmin@ftp.sdskills.com:/> put test.docx
put: Access failed: 550 Permission denied. (test.docx)
lftp webadmin@ftp.sdskills.com:/> put test.xlsx
put: Access failed: 550 Permission denied. (test.xlsx)
lftp webadmin@ftp.sdskills.com:/> put test.txt
lftp webadmin@ftp.sdskills.com:/> ls
-rw-r--r-- 1 1001 1001 0 Jun 12 15:00 test.txt
lftp webadmin@ftp.sdskills.com:/>
[root@server02 ~]# cat /etc/vsftpd/vsftpd.conf |grep rate
local_max_rate=100000
# 打开第三个窗口后错误,是打开第三个窗口后
[root@client ~]# lftp -u webadmin,Chinaskills23 ftp.sdskills.com
lftp webadmin@ftp.sdskills.com:~> ls
`ls' at 0 [Delaying before reconnect: 26]
四、SSH
- 安装SSH
- 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;
- 配置client只能在Chinaskills23用户环境下可以免秘钥登录,端口号为4044,并且拥有root控制权限;
[root@server02 ~]# vim /etc/ssh/sshd_config
# 注意在此处,因为office区域是和service区域和内部路由互通的,所有在进行路由选择的时候,查询路由表的时候可以直接通过内部路由互通,所以直接指向office的主机
Port 4044
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
AllowUsers *@10.10.100.*,172.16.100.129
[root@server02 ~]# cat /etc/hosts.deny
...
sshd:ALL
[root@server02 ~]# cat /etc/hosts.allow
...
sshd:10.10.100.*,172.16.100.129:allow
[root@server02 ~]# systemctl restart sshd
[Chinaskills23@client ~]$ ssh-copy-id -p 4044 root@172.16.100.202
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/Chinaskills23/.ssh/id_rsa.pub"
The authenticity of host '[172.16.100.202]:4044 ([172.16.100.202]:4044)' can't be established.
ECDSA key fingerprint is SHA256:BYuNLUifkYsK9XpmQsineDia4ee1/nHXmKkO1P5ml44.
ECDSA key fingerprint is MD5:16:46:fa:e9:14:a7:dd:7a:35:1b:42:43:e8:04:b2:b0.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.100.202's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '4044' 'root@172.16.100.202'"
and check to make sure that only the key(s) you wanted were added.
[Chinaskills23@client ~]$ ssh -p 4044 root@172.16.100.202
[Chinaskills23@client ~]$ ssh -p 4044 root@172.16.100.202
Last login: Sat Jun 17 22:09:51 2023 from 172.16.100.129
[root@server02 ~]# logout
5、SERVER03 TASK
一、NETWORK
- 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。
root@Server03:~# hostnamectl set-hostname Server03
# 127.0.0.1对应为localhost
root@Server03:~# vim /etc/hosts
127.0.0.1 localhost
127.0.1.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.10.3 Server03.skills.com Server03
root@Server03:~# hostname -s
Server03
root@Server03:~# hostname -f
Server03.skills.com
root@Server03:~# vim /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto ens32
iface ens32 inet static
address 192.168.10.3/28
root@Server03:~# vim /etc/resolv.conf
nameserver 192.168.10.4
二、时间同步服务
1、Chrony
- chrony为全网提供时间同步服务器;
- Server01、Server02、Server04、Client和Rserver应定期与其校正时间;
- 每隔1分钟自动校正一次时间。
# 注释掉apt仓库
root@Server03:~# vim /etc/apt/sources.list.d/appstore.list
root@Server03:~# vim /etc/apt/sources.list
...#
deb [trusted=yes] file:///mnt fou main
root@Server03:~# mount -t auto -o loop /dev/sr0 /mnt/
root@Server03:~# apt update
Get:1 file:/mnt fou InRelease
Ign:1 file:/mnt fou InRelease
Get:2 file:/mnt fou Release [1,578 B]
Get:2 file:/mnt fou Release [1,578 B]
Get:3 file:/mnt fou Release.gpg
Ign:3 file:/mnt fou Release.gpg
Get:4 file:/mnt fou/main amd64 Packages [681 kB]
Get:5 file:/mnt fou/main i386 Packages [196 kB]
Reading package lists... Done
Building dependency tree
Reading state information... Done
5 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@Server03:~# apt install -y chrony
root@Server03:~# vim /etc/chrony/chrony.conf
# allow all或者 allow 0.0.0.0/0
# local那一行表示当指定的server服务器不可用时,使用本地时间作为标准
#pool 2.debian.pool.ntp.org iburst
server 192.168.10.3 iburst
allow all
local stratum 10
root@Server03:~# systemctl restart chrony
root@Server03:~# systemctl restart cron.service
###Server01
[root@server01 ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@server01 ~]# yum install -y ntpdate chrony
[root@server01 ~]# vim /etc/chrony.conf
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 192.168.10.3 iburst
[root@server01 ~]# systemctl restart chronyd.service
[root@server01 ~]# ntpdate 192.168.10.3
14 Jun 20:42:13 ntpdate[4513]: adjust time server 192.168.10.3 offset -0.000236 sec
[root@server01 ~]# chronyc sources -v
...
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.10.3 10 6 17 29 -80us[ -158us] +/- 459us
[root@server01 ~]# chronyc sourcestats -v
...
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
192.168.10.3 4 3 6 -10.342 493.678 -326us 56us
[root@server01 ~]# vim /etc/crontab
*/1 * * * * ntpdate 192.168.10.3
##Server02与Server01相同
root@Server04:~# mount -t auto -o loop /dev/sr0 /mnt/
root@Server04:~# apt install -y ntpdate chrony
root@Server04:~# vim /etc/chrony/chrony.conf
#pool 2.debian.pool.ntp.org iburst
pool 192.168.10.3 iburst
root@Server04:~# systemctl restart cron.service
root@Server04:~# systemctl restart chronyd.service
root@Server04:~# ntpdate 192.168.10.3
root@Server04:~# chronyc sources -v
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.10.3 10 6 17 35 +1015ns[+2106ns] +/- 130us
root@Server04:~# chronyc sourcestats -v
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
192.168.10.3 4 3 6 -0.896 24.670 -49us 4384ns
root@Server04:~# crontab -e
...
*/1 * * * * ntpdate 192.168.10.3
crontab: installing new crontab
[root@server04 ~]# vim /etc/crontab
*/1 * * * * ntpdate 192.168.10.3
##rserver与Server01相同
##client与Server01相同
| sources | 时间同步源 |
|---|---|
| sourcestats | 时间同步源状态 |
| clients | 在客户端报告已访问到服务器 |
chronyc clients
在客户端查看时间同步源
chronyc sources
2、Ntp
- Ntp为全网提供时间同步服务器;
- Server01、Server02、Server04、Client和Rserver应定期与其校正时间;
- 每隔1分钟自动校正一次时间。
# 注释掉apt仓库
root@Server03:~# vim /etc/apt/sources.list.d/appstore.list
root@Server03:~# vim /etc/apt/sources.list
...#
deb [trusted=yes] file:///mnt fou main
root@Server03:~# mount -t auto -o loop /dev/sr0 /mnt/
root@Server03:~# apt update
root@Server03:~# apt install -y ntp
root@Server03:~# dpkg -L ntp
...
/etc/ntp.conf
root@Server03:~# vim /etc/ntp.conf
...
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
# 必须写127.127.1.0,不然客户端无法进行时间同步
server 127.127.1.0
# 重启到客户端能同步需要5分钟时间,这5分钟是ntp时间服务器与自身和其他ntp时间服务在同步,此时客户端若进行同步则会提示“no server suitable for synchronization found”
root@IspSrv:~# systemctl restart ntp
# 我们可以使用观察命令看进行到哪一步了
root@IspSrv:~# watch ntpq -p
# 若LOCAL前面有星号则同步完毕,可以正常提供时间同步
*LOCAL(0) .LOCL. 5 l 4 64 377 0.000 0.000 0.000
root@IspSrv:~# ss -ntupl |grep ntp
...
udp UNCONN 0 0 127.0.0.1:123 0.0.0.0:* users:(("ntpd",pid=9419,fd=18))
root@IspSrv:~# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*LOCAL(0) .LOCL. 5 l 52 64 377 0.000 0.000 0.000
# 客户端测试
[root@appsrv ~]# ntpdate 81.6.63.100
13 Aug 18:36:50 ntpdate[1796]: step time server 81.6.63.100 offset -7765.792493 sec
[root@appsrv ~]# vim /etc/crontab
[root@appsrv ~]# cat /etc/crontab |grep 5
...
*/5 * * * * root ntpdate 81.6.63.100
[root@appsrv ~]# cat /etc/crontab |grep ntpdate
*/5 * * * * root ntpdate 81.6.63.100
[root@storagesrv ~]# ntpdate 81.6.63.100
13 Aug 18:36:29 ntpdate[1917]: step time server 81.6.63.100 offset -86403.158388 sec
[root@storagesrv ~]# vim /etc/crontab
...
*/5 * * * * root ntpdate 81.6.63.100
[root@storagesrv ~]# cat /etc/crontab |grep ntpdate
*/5 * * * * root ntpdate 81.6.63.100
三、SSH
- 安装SSH;
- 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;
- 配置client只能在Chinaskills23用户环境下可以免秘钥登录,端口号为2233,并且拥有root控制权限;
root@Server03:~# nano /etc/ssh/sshd_config
Port 2233
...
# 第一种写策略方法,只写其一
AllowUsers *@192.168.10.2,192.168.10.1
# 第二种写策略方法,只写其一
root@Server03:~# nano /etc/hosts.allow
sshd:192.168.10.2,192.168.10.1:allow
root@Server03:~# nano /etc/hosts.deny
sshd:ALL
root@Server03:~# systemctl restart sshd.service
# 确认防火墙配置正常,内部网络能访问外部网络,流量放行打开FORWARD,TCP-2233
[root@client ~]# su - Chinaskills23
[Chinaskills23@client ~]$ ssh-copy-id -p 2233 root@192.168.10.3
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/Chinaskills23/.ssh/id_rsa.pub"
The authenticity of host '[192.168.10.3]:2233 ([192.168.10.3]:2233)' can't be established.
ECDSA key fingerprint is SHA256:qHvTJ+2+tIQUqR9V4MxE8WwwY3OohKLrIoIehImTQZU.
ECDSA key fingerprint is MD5:ff:82:b1:0b:24:53:ca:a8:63:39:03:91:9b:03:d2:78.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.10.3's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2233' 'root@192.168.10.3'"
and check to make sure that only the key(s) you wanted were added.
[Chinaskills23@client ~]$ ssh root@192.168.10.3
ssh: connect to host 192.168.10.3 port 22: Connection refused
[Chinaskills23@client ~]$ ssh -p 2233 root@192.168.10.3
Last login: Fri Jun 16 08:42:45 2023 from 192.168.10.1
root@Server03:~#
6、SERVER04 TASK
一、NETWORK
请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。
root@Server04:~# hostnamectl set-hostname Server04
# 127.0.0.1对应为localhost
root@Server04:~# vim /etc/hosts
127.0.0.1 localhost
127.0.1.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.10.4 Server04.skills.com Server04
root@Server04:~# hostname -s
Server04
root@Server04:~# hostname -f
Server04.skills.com
root@Server04:~# vim /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto ens32
iface ens32 inet static
address 192.168.10.4/28
root@Server04:~# systemctl restart network
root@Server04:~# vim /etc/resolv.conf
nameserver 192.168.10.4
二、DNS
- 安装DNS相关服务软件包;
- 为域skills.com提供必要的域名解析;
- 当非skills.com域的解析时,统一解析到Rserver连接Internet网段的IP地址或Rserver.skills.com。
# 注释掉
root@Server04:~# vim /etc/apt/sources.list
# 注释掉
root@Server04:~# vim /etc/apt/sources.list.d/appstore.list
root@Server04:~# vim /etc/apt/sources.list
deb [trusted=yes] file:///mnt fou main
root@Server04:~# mount -t auto -o loop /dev/sr0 /mnt/
root@Server04:~# apt update && apt install -y bind9 bind9utils
root@Server04:~# cd /etc/bind/
root@Server04:/etc/bind/# vim named.conf.options
...
dnssec-validation no;
#listen-on-v6 { any; };
root@Server04:/etc/bind# vim named.conf.local
zone "skills.com" {
type master;
file "/etc/bind/skills.com.zx";
};
root@Server04:/etc/bind# cp -a db.local skills.com.zx
root@Server04:/etc/bind# vim skills.com.zx
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA skills.com. skills.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS Server04.skills.com.
Server04 IN A 192.168.10.4
@ IN A 192.168.10.4
www IN A 192.168.10.4
* IN A 192.168.10.4
root@Server04:/etc/bind# vim named.conf.default-zones
zone "10.168.192.in-addr.arpa" {
type master;
file "/etc/bind/skills.com.fx";
};
root@Server04:/etc/bind# cp -a db.127 skills.com.fx
root@Server04:/etc/bind# vim skills.com.fx
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA skills.com. skills.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS Server04.skills.com.
4 IN PTR Server04.skills.com.
4 IN PTR skills.com.
4 IN PTR www.skills.com.
root@Server04:/etc/bind# vim /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type master;
file "/etc/bind/db.root";
};
root@Server04:/etc/bind# cp -a db.local db.root
root@Server04:/etc/bind# vim /etc/bind/db.root
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS root.
* IN A 192.168.10.2
* IN A 172.16.100.254
root@Server04:/etc/bind# systemctl restart bind9
root@Server04:/etc/bind# systemctl enable --now bind9
7、服务器IOMSrv工作任务
- 图形界面登陆IOMSrv运维平台,登陆地址http://172.16.100.203;
- 通过中间件Apache模板,添加Apache监控对象,查看运行状态;
- 通过中间件MySQL数据库Agent模板,添加Mariadb监控对象,查看运行状态;
- 通过新增WEB探测对象,监控门户网站www.chinaskills.cn,查看运行状态;
- 基于SERVER01上的门户网站业务,完成业务拓扑绘制,并在业务大屏上呈现。
一、Zabbix-Server
一、安装Zabbix部署包
官方也提供了zabbix安装的文档,也可以自己按照官方文档进行安装,文档的链接如下:
https://www.zabbix.com/download?zabbix=5.0&os_distribution=centos&os_version=7&db=mysql&ws=nginx
[root@imosrv ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@imosrv ~]# vim /etc/yum.repos.d/a.repo
[a]
baseurl=file:///mnt
gpgcheck=0
[b]
baseurl=file:///root/zabbix
gpgcheck=0
[root@imosrv ~]# yum install zabbix-server-mysql zabbix-web-mysql zabbix-agent vim
[root@imosrv ~]# scp -r -P 3033 /usr/share/doc/zabbix-server-mysql-3.4.15/create.sql.gz 172.16.100.201:/root/
二、后端存储数据库
在MySQL上安装Zabbix数据库和用户,请参看下列指导步骤。MySQL数据库创建脚本。
[root@server01 ~]# mysql -uroot -pChinaskills23
MariaDB [(none)]> create database zabbix character set utf8 collate utf8_bin;
MariaDB [(none)]> grant all privileges on zabbix.* to zabbix@'%' identified by 'Chinaskills23';
# 创建zabbix用户,只允许本机登录,且没有密码,用于zabbix监控mariadb状态
MariaDB [(none)]> grant all privileges on zabbix.* to zabbix@localhost;
flush privileges;
然后导入初始架构(Schema)和数据。
[root@server01 ~]# zcat /root/create.sql.gz | mysql -uzabbix -pChinaskills23 zabbix
三、编辑配置文件及php
Zabbix Server端配置文件
[root@imosrv ~]# vi /etc/zabbix/zabbix_server.conf
DBHost=172.16.100.201
DBName=zabbix
DBUser=zabbix
DBPassword=Chinaskills23
#DBPort=3358
Zabbix Agent端配置文件
# 自己监控自己。。。
[root@imosrv ~]# vim /etc/zabbix/zabbix_agentd.conf
Server=127.0.0.1 # Zabbix Server的地址,允许该ip地址获取数据,被动获取,默认即可
ServerActive=127.0.0.1 # 主动将主机的数据发送给该ip地址,Zabbix Server,主动发送,默认即可
Hostname=Zabbix Server # 这个定义的名字必须和web页面里面host的名字一样。默认即可
UnsafeUserParameters=1 #允许所有的字符是在用户定义的参数,参数传递,也就是支持自定义脚本
php配置文件
[root@imosrv ~]# vim /etc/php.ini
...
date.timezone = "Asia/Shanghai"
四、启动Zabbix,并检测
[root@imosrv ~]# systemctl enable --now zabbix-server zabbix-agent httpd
# 查看日志,检测无异常
[root@imosrv ~]# tail -f /var/log/zabbix/zabbix_server.log
1826:20230618:092441.376 server #23 started [trapper #1]
1828:20230618:092441.378 server #25 started [trapper #3]
1832:20230618:092441.380 server #29 started [alert manager #1]
1833:20230618:092441.380 server #30 started [preprocessing manager #1]
1829:20230618:092441.382 server #26 started [trapper #4]
1830:20230618:092441.383 server #27 started [trapper #5]
1831:20230618:092441.384 server #28 started [icmp pinger #1]
1836:20230618:092441.470 server #33 started [preprocessing worker #3]
1835:20230618:092441.470 server #32 started [preprocessing worker #2]
1834:20230618:092441.470 server #31 started [preprocessing worker #1]
# 在web界面设置后才能正常
[root@imosrv ~]# tail -f /var/log/zabbix/zabbix_agentd.log
1795:20230618:092441.290 using configuration file: /etc/zabbix/zabbix_agentd.conf
1795:20230618:092441.290 agent #0 started [main process]
1798:20230618:092441.291 agent #3 started [listener #2]
1796:20230618:092441.291 agent #1 started [collector]
1797:20230618:092441.291 agent #2 started [listener #1]
1799:20230618:092441.292 agent #4 started [listener #3]
1801:20230618:092441.293 agent #5 started [active checks #1]
1801:20230618:092441.294 active check configuration update from [172.16.100.203:10051] started to fail (cannot connect to [[172.16.100.203]:10051]: [111] Connection refused)
1801:20230618:092541.324 active check configuration update from [172.16.100.203:10051] is working again
1801:20230618:092541.324 no active checks on server [172.16.100.203:10051]: host [iomsrv] not found
二、Zabbix-Agent
通过Linux代理模板,添加StorageSrv、AppSrv操作系统监控对象,查看运行状态
[root@server01 ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@server01 ~]# vim /etc/yum.repos.d/a.repo
[a]
baseurl=file:///mnt
gpgcheck=0
[b]
baseurl=file:///root/zabbix
gpgcheck=0
[root@storagesrv ~]# yum install zabbix-agent vim -y
[root@storagesrv ~]# vim /etc/zabbix/zabbix_agentd.conf
Server=172.16.100.203,必须写Zabbix Serverip地址,不然异常
ServerActive=172.16.100.203
Hostname=server01
[root@server01 ~]# systemctl enable --now zabbix-agent
[root@server01 ~]# tail -f /var/log/zabbix/zabbix_agentd.log
[root@server02 ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@server02 ~]# vim /etc/yum.repos.d/a.repo
[a]
baseurl=file:///mnt
gpgcheck=0
[b]
baseurl=file:///root/zabbix
gpgcheck=0
[root@server02 ~]# yum install zabbix-agent vim -y
[root@server02 ~]# vim /etc/zabbix/zabbix_agentd.conf
Server=172.16.100.203
ServerActive=172.16.100.203
Hostname=server02,# 与在web界面创建的主机名称保持一致即可,模板选择OS Linux
[root@server02 ~]# systemctl enable --now zabbix-agent
[root@server02 ~]# tail -f /var/log/zabbix/zabbix_agentd.log
右上角小人–>语言修改为中文(zh_CN)
- 通过Linux代理模板,添加SERVER01、SERVER02操作系统监控对象,查看运行状态;
添加server01,server02操作系统监控对象
配置--->主机--->创建主机--->主机名称为server01--->群组选择为Linux servers--->agent代理程序的接口ip地址为server01的ip地址为172.16.100.201
- 通过中间件Apache模板,添加Apache监控对象,查看运行状态;
- 通过中间件MySQL数据库Agent模板,添加Mariadb监控对象,查看运行状态;
向右看模板--->选择--->[Template OS Linux],[Template App HTTP Service], [Template App HTTPS Service], [Template DB MySQL]--->上面的添加--->下面的添加
- 通过新增WEB探测对象,监控门户网站www.sdskills.com,查看运行状态;
# HTTP
配置--->主机--->Web监测--->右上角创建 Web 场景--->名称为HTTP,应用集为HTTP service,客户端选择Firefox(Windows)--->步骤--->添加--->名称为HTTP-step,URL为http://www.sdskills.com,要求的状态码200--->下面的添加--->下面的添加
# HTTPS
配置--->主机--->Web监测--->右上角创建
Web 场景--->名称为HTTPS,应用集为HTTPS service,客户端选择Firefox(Windows)--->步骤--->添加--->名称为HTTPS-step,URL为https://www.sdskills.com,要求的状态码200--->下面的添加--->下面的添加
- 基于SERVER01上的门户网站业务,完成业务拓扑绘制,并在业务大屏上呈现
# 创建拓扑图图标
管理--->一般--->右上角选择图片--->创建图标--->依次名称为设备正常,设备故障,设备停用,设备维护--->上传手动创建的图标,绿色,红色,灰色,黄色
# 创建拓扑图
监控中--->拓扑图--->创建拓扑图--->名称为server01,宽为1000,高800,图标高亮,触发器状态上的标记组件改变,最小的触发器严重级别选择为未分类,说明什么级别的触发器会显示异常,低于此级别会在拓扑显示故障
# 拓扑图元素添加HTTP
点击刚刚创建的server01拓扑图--->编辑拓扑图--->图标:添加--->选中新创建的类型为主机,标签为HTTP,标签位置为底部,主机选择server01,应用集选择HTTP service,图标默认选择:设备正常,设备故障,设备维护,设备停用,座标任意,比如321,255,URLs的名称为HTTP,URL为http://www.sdskills.com--->应用--->更新--->确认
# 拓扑图元素添加HTTPS
点击刚刚创建的server01拓扑图--->编辑拓扑图--->图标:添加--->选中新创建的类型为主机,标签为HTTPS,标签位置为底部,主机选择server01,应用集选择HTTPS service,图标默认选择:设备正常,设备故障,设备维护,设备停用,座标任意,比如696,255,URLs的名称为HTTPS,URL为https://www.sdskills.com--->应用--->更新--->确认
如何实现链路监控?
按着ctrl然后选择两个元素,点击[链路]旁边的[添加]
# 触发器HTTP异常
配置--->主机--->触发器--->右上角创建触发器--->名称为HTTP异常,严重性为严重,表达式--->添加--->监控项--->选择为HTTP service is running,功能为默认last,结果为0时触发触发器--->插入--->URL为http://www.sdskills.com--->添加
# 触发器HTTPS异常
配置--->主机--->触发器--->右上角创建触发器--->名称为HTTPS异常,严重性为严重,表达式--->添加--->监控项--->选择为HTTPS service is running,功能为默认last,结果为0时触发触发器--->插入--->URL为https://www.sdskills.com--->添加
# 在业务大屏上面显示
监控中--->仪表盘--->编辑仪表盘--->修改常用的拓扑图为类型为拓扑图,名称为server01,Refresh interval为10秒,源类型为拓扑图,拓扑图选择server01--->应用--->保存设置
当触发触发器前
当触发触发器后
配置详情:
触发器配置
三、乐维智能监控平台-服务端
1、上传安装包
[root@imosrv ~]# ls
anaconda-ks.cfg lw_2023_ITIM.zip
2、解压文件
[root@imosrv ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@imosrv ~]# vi /etc/yum.repos.d/a.repo
[a]
baseurl=file:///mnt
gpgcheck=0
[root@imosrv ~]# yum install -y vim bash-completion unzip
[root@imosrv ~]# unzip lw_2023_ITIM.zip -d .
Archive: lw_2023_ITIM.zip
extracting: ./LWweb.tar.gz
extracting: ./LWSetup.tar.gz
[root@imosrv ~]# tar xvf LWSetup.tar.gz -C .
[root@imosrv ~]# cd LWSetup
3、执行脚本
# 2>&1是错误重定向,将错误信息重定向到标准信息
[root@LW ~ LWSetup]# sh LW_install.sh POSTGRESQL 2>&1 | tee LW.txt
...
========================================[启动服务]========================================
root $ systemctl restart zabbix_server
root $ systemctl restart zabbix_agentd
# LNPP架构,检查端口号tcp80,8080,8081,5432,9000,10050,10051,10052
[root@imosrv LWSetup]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:10050 *:*
LISTEN 0 128 *:10051 *:*
LISTEN 0 128 127.0.0.1:9000 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:8080 *:*
LISTEN 0 128 *:8081 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 *:5432 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 [::]:10050 [::]:*
LISTEN 0 128 [::]:10051 [::]:*
LISTEN 0 50 [::]:10052 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 [::]:5432 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
如最终显示没有出现上图所示,麻烦提供LWweb.txt文件联系我们
如需更改默认配置,可查看详细脚本LW_web_install.sh 进行相关默认配置更改
四、乐维智能监控平台-WEB端
1、上传安装包
[root@imosrv ~]# ls
anaconda-ks.cfg lw_2023_ITIM.zip LWSetup LWSetup.tar.gz LWweb.tar.gz
2、解压文件
[root@imosrv ~]# tar xvf LWweb.tar.gz -C .
[root@imosrv ~]# cd LWweb
3、 执行脚本
[root@imosrv LWweb]# sh LW_web_install.sh POSTGRESQL 2>&1 | tee LWweb.txt
..
========================================[部署完成,请使用谷歌浏览器打开网址 http://192.168.100.150 进行页面初始化]========================================
如最终显示没有出现上图所示,麻烦提供LWweb.txt文件联系我们
如需更改默认配置,可查看详细脚本LW_web_install.sh 进行相关默认配置更改
4、打开浏览器访问
5、环境检测
6、 配置数据库
7、 初始化安装过程大致需要几分钟
8、 点击完成
初始化完成后的4个默认对象(127.0.0.1)是监控服务器本身的,需要更改IP启用监控,不可删除。
9、修改密码
| 类型 | 权限信息 | 对外端口开放 |
|---|---|---|
| 监控平台 | 操作系统ROOT权限 | TCP 10051、10052、80 |
| 操作系统 | 安装Agent操作帐号权限 | TCP :10050ICMP |
| 中间件 | 操作开启JMX,重启中间件权限帐号密码 | JMX端口TCP服务端口 |
| 数据库 | 账号密码、端口、实例名 | TCP:实例端口 |
| 服务器 | 管理口用户名密码SNMP团体名 | UDP:623(IPMI)、161(SNMP)ICMP |
| 存储 | 管理口用户名密码SNMP团体名 | TCP: 5859(SMI-S)、22(SSH)、23(THENLE)UDP:161(SNMP)ICMP |
| 小型机 | 控制台用户名、密码SNMP团体名 | TCP:22(SSH)、23 (THENLE)UDP:161(SNMP)ICMP |
| 网络设备 | SNMP团体名 | UDP:161(SNMP)ICMP |
| 虚拟化 | Vcenter帐号密码 | TCP:443(API、SDK)ICMP |
| 其他 | 视具体设备情况 |
10、授权码替换说明
授权码替换
登录系统后,找到右上角的版本设置。如下图位置:
在框1内输入Admin用户密码,在框2内输入授权码,点击替换。
替换成功后,授权使用天数应为无限制
7-1图形界面登陆IOMSrv运维平台,登陆地址http://172.16.100.203;
7-2通过Linux代理模板,添加SERVER01、SERVER02操作系统监控对象,查看运行状态;
被监控的操作系统监控对象
[root@server01 ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@server01 ~]# yum provides iostat
Loaded plugins: fastestmirror
Repository 'a' is missing name in configuration, using id
Repository 'b' is missing name in configuration, using id
Loading mirror speeds from cached hostfile
sysstat-10.1.5-19.el7.x86_64 : Collection of performance monitoring tools for Linux
Repo : a
Matched from:
Filename : /usr/bin/iostat
[root@server01 ~]# yum install -y sysstat
[root@server01 ~]# iostat
Linux 3.10.0-1160.el7.x86_64 (server02) 06/26/2023 _x86_64_ (2 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.13 0.00 0.50 0.04 0.00 99.32
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
scd0 0.21 17.05 0.00 11376 0
sda 10.13 321.36 121.06 214401 80768
dm-0 7.44 303.42 117.96 202435 78701
dm-1 0.13 3.30 0.00 2204 0
[root@server01 ~]# tail -f /var/log/messages
Jun 24 21:26:27 Server01 systemd: Reloading.
Jun 24 21:26:28 Server01 systemd: Configuration file /usr/lib/systemd/system/lwops_agentd.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Jun 24 21:26:28 Server01 systemd: Configuration file /usr/lib/systemd/system/lwops_agentd.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Jun 24 21:26:28 Server01 systemd: Reloading.
Jun 24 21:26:28 Server01 systemd: Configuration file /usr/lib/systemd/system/lwops_agentd.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Jun 24 21:26:28 Server01 systemd: Started Lwops Agent.
Jun 24 21:26:28 Server01 systemd: Stopping Lwops Agent...
Jun 24 21:26:28 Server01 systemd: Stopped Lwops Agent.
Jun 24 21:26:28 Server01 systemd: Started Lwops Agent.
Jun 24 21:26:28 Server01 lwops_agentd: Starting Zabbix Agent 2 [172.16.100.201]. (5.0.9)
Jun 24 21:26:28 Server01 lwops_agentd: Press Ctrl+C to exit.
Jun 24 21:26:34 Server01 systemd-logind: Removed session 54.
Jun 24 21:26:34 Server01 systemd: Started Session 55 of user root.
Jun 24 21:26:34 Server01 systemd-logind: New session 55 of user root.
Jun 24 21:26:34 Server01 systemd-logind: Removed session 55.
Jun 24 21:27:01 Server01 systemd: Started Session 56 of user root.
[root@server01 ~]# ss -ntpl|grep 10073
LISTEN 0 128 [::]:10073 [::]:* users:(("lwops_agentd",pid=2299,fd=6))
[root@server02 ~]# mount -t auto -o loop /dev/sr0 /mnt/
[root@server02 ~]# yum provides iostat
Loaded plugins: fastestmirror
Repository 'a' is missing name in configuration, using id
Repository 'b' is missing name in configuration, using id
Loading mirror speeds from cached hostfile
sysstat-10.1.5-19.el7.x86_64 : Collection of performance monitoring tools for Linux
Repo : a
Matched from:
Filename : /usr/bin/iostat
[root@server01 ~]# yum install -y sysstat
[root@server01 ~]# iostat
Linux 3.10.0-1160.el7.x86_64 (server02) 06/26/2023 _x86_64_ (2 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.13 0.00 0.50 0.04 0.00 99.32
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
scd0 0.21 17.05 0.00 11376 0
sda 10.13 321.36 121.06 214401 80768
dm-0 7.44 303.42 117.96 202435 78701
dm-1 0.13 3.30 0.00 2204 0
在被监控对象Server02中,由于开启了访问策略,所以需要放行
[root@server02 ~]# vim /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:10.10.100.*,172.16.100.129,172.16.100.*:allow
[root@server02 ~]# systemctl restart sshd
最终agent安装状况如下
监控对象状态:
7-3通过中间件Apache模板,添加Apache监控对象,查看运行状态;
7-4通过中间件MySQL数据库Agent模板,添加Mariadb监控对象,查看运行状态
因为默认采用的root用户登录,并且无密码登录,这样很不安全,所以需要修改采集信息的用户名和密码
# 把原来的键值mysql.ping修改为如下,不然采集不到信息,使用以下用户登录到数据库中
mysql.ping[tcp://127.0.0.1,itmonitor,p@ssw0rd]
通过测试Mariadb版本结果错误可以得知,默认使用的是root用户,并且无密码,所以也需要修改登录的用户
因为是单节点Mariadb,所以禁用掉主从配置
需要在mysql所在的主机安装agent–创建监控账号–配置连接文件–配置agent的mysql监控参数
如何查找相应步骤:
按着步骤来
一、安装agent
二、Mysql创建监控账号
[root@server01 ~]# mysql -uroot -pChinaskills23
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 128
Server version: 5.5.68-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> GRANT USAGE,PROCESS,SUPER,REPLICATION CLIENT,REPLICATION SLAVE ON *.* TO 'itmonitor'@'localhost' IDENTIFIED BY 'p@ssw0rd';
MariaDB [(none)]> flush privileges;
三、配置连接文件
# 在安装lwops的etc目录下面创建用于连接数据库的配置文件
[root@server01 ~]# vim /usr/local/lwops/etc/.my.cnf
# Zabbix Agent
[mysql]
host=localhost
user=itmonitor
password=p@ssw0rd
socket=/var/lib/mysql/mysql.sock
[mysqladmin]
host=localhost
user=itmonitor
password=p@ssw0rd
socket=/var/lib/mysql/mysql.sock
# 更改所有者为lwops,不然没相应权限
[root@server01 ~]# chown -R lwops:lwops /usr/local/lwops/etc/.my.cnf
# 检查lwopsAgent端主配置文件是否启动自定义用户脚本和包括配置文件目录
[root@server01 ~]# cat /usr/local/lwops/etc/lwops_agentd.conf|grep -En "Include|Unsafe"
240:### Option: Include
246:Include=/usr/local/lwops/etc/lwops_agentd.conf.d/*.conf
251:### Option: UnsafeUserParameters
262:UnsafeUserParameters=1
四、增加mysql监控参数
# 编写用于添加Mariadb监控对象的配置文件
[root@server01 ~]# vim /usr/local/lwops/etc/lwops_agentd.conf.d/mysql.conf
### MySQL DB Infomation
# 注意修改.my.cnf文件所在位置使用命令快速修改
:%s/\/itops\/zabbix\/etc\/.my.cnf/\/usr\/local\/lwops\/etc\/.my.cnf/g
UserParameter=mysql.status[*],echo "show global status where Variable_name='$1';"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|awk '{print $$2}' #查看全局状态
UserParameter=mysql.variables[*],echo "show global variables where Variable_name='$1';"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|awk '{print $$2}' #查看全局变量设置
#-------------->>>删除以下或注释掉,应为主键中已经存在了<<<-----------------
#UserParameter=mysql.ping,mysqladmin --defaults-file=/itops/zabbix/etc/.my.cnf ping|grep -c alive #检测MYSQL存活
#UserParameter=mysql.version,echo "select version();"|mysql --defaults-file=/itops/zabbix/etc/.my.cnf -N #获取MYSQL版本
#### MySQL Master Information
UserParameter=mysql.master.Slave_count,echo "show slave hosts;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|wc -l #SLAVE状态
UserParameter=mysql.master.Binlog_file,echo "show master status;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|awk '{print $1}'|awk -F. '{print $1}' #binlog日志文件名称
UserParameter=mysql.master.Binlog_number,echo "show master status;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|awk '{print $1}'|awk -F. '{print $2}' #binlog日志文件序号
UserParameter=mysql.master.Binlog_position,echo "show master status;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|awk '{print $2}' #binlog日志记录的位置
UserParameter=mysql.master.Binlog_count,echo "show binary logs;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|wc -l #binlog日志数量统计
UserParameter=mysql.master.Binlog_total_size,echo "show binary logs;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|awk '{sum+=$NF}END{print sum}' #binlog日志占用的空间大小
#### MySQL Slave Information
UserParameter=mysql.slave.Seconds_Behind_Master,echo "show slave status\G"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf|grep "Seconds_Behind_Master"|awk '{print $2}' #本地sql线程和io线程之间的差距时>
UserParameter=mysql.slave.Slave_IO_Running,echo "show slave status\G"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf|grep "Slave_IO_Running"|awk '{print $2}' #I/O线程是否被启动并成功地连接到主服务器上
UserParameter=mysql.slave.Slave_SQL_Running,echo "show slave status\G"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf|grep "Slave_SQL_Running"|awk '{print $2}' #SQL线程是否被启动
UserParameter=mysql.slave.Relay_Log_Pos,echo "show slave status\G"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf|grep "Relay_Log_Pos"|awk '{print $2}' #在当前的中继日志中,SQL线程已读取和执行的位置
UserParameter=mysql.slave.Exec_Master_Log_Pos,echo "show slave status\G"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf|grep "Exec_Master_Log_Pos"|awk '{print $2}'
UserParameter=mysql.slave.Read_Master_Log_Pos,echo "show slave status\G"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf|grep "Read_Master_Log_Pos"|awk '{print $2}'
#### MySQL InnoDB Information
#
UserParameter=mysql.innodb[*],/usr/local/lwops/scripts/mysql_innodb_status.sh $1
[root@server01 ~]# chown -R lwops:lwops /usr/local/lwops/etc/lwops_agentd.conf.d/mysql.conf
五、新增脚本
[root@server01 ~]# vim /usr/local/lwops/scripts/mysql_innodb_status.sh
# 注意修改.my.cnf文件所在位置使用命令快速修改
:%s/\/usr\/local\/zabbix\/etc\/.my.cnf/\/usr\/local\/lwops\/etc\/.my.cnf/g
#!/bin/bash
innodb_metric=$1
case $innodb_metric in
Innodb_rows_locked) #事务锁住的行数
value=$(echo "SELECT SUM(trx_rows_locked) AS rows_locked, SUM(trx_rows_modified) AS rows_modified, SUM(trx_lock_memory_bytes) AS lock_memory FROM information_schema.INNODB_TRX;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N| awk '{print $1}')
if [ "$value" == "NULL" ];then
echo 0
else
echo $value
fi
;;
Innodb_rows_modified) #事务更改的行数
value=$(echo "SELECT SUM(trx_rows_locked) AS rows_locked, SUM(trx_rows_modified) AS rows_modified, SUM(trx_lock_memory_bytes) AS lock_memory FROM information_schema.INNODB_TRX;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N| awk '{print $2}')
if [ "$value" == "NULL" ];then
echo 0
else
echo $value
fi
;;
Innodb_trx_lock_memory) #事务锁住的内存大小(B)
value=$(echo "SELECT SUM(trx_rows_locked) AS rows_locked, SUM(trx_rows_modified) AS rows_modified, SUM(trx_lock_memory_bytes) AS lock_memory FROM information_schema.INNODB_TRX;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N| awk '{print $3}')
if [ "$value" == "NULL" ];then
echo 0
else
echo $value
fi
;;
Innodb_compress_time) #事务压缩时间
value=$(echo "SELECT SUM(compress_time) AS compress_time, SUM(uncompress_time) AS uncompress_time FROM information_schema.INNODB_CMP;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|awk '{print $1}')
echo $value
;;
Innodb_uncompress_time) #事务解压时间
value=$(echo "SELECT SUM(compress_time) AS compress_time, SUM(uncompress_time) AS uncompress_time FROM information_schema.INNODB_CMP;"|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|awk '{print $2}')
echo $value
;;
Innodb_trx_running) #事务执行状态数量
value=$(echo 'SELECT LOWER(REPLACE(trx_state, " ", "_")) AS state, count(*) AS cnt from information_schema.INNODB_TRX GROUP BY state;'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep running|awk '{print $2}')
if [ "$value" == "" ];then
echo 0
else
echo $value
fi
;;
Innodb_trx_lock_wait) #事务锁等待数量
value=$(echo 'SELECT LOWER(REPLACE(trx_state, " ", "_")) AS state, count(*) AS cnt from information_schema.INNODB_TRX GROUP BY state;'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep lock_wait|awk '{print $2}')
if [ "$value" == "" ];then
echo 0
else
echo $value
fi
;;
Innodb_trx_rolling_back) #事务回滚数量
value=$(echo 'SELECT LOWER(REPLACE(trx_state, " ", "_")) AS state, count(*) AS cnt from information_schema.INNODB_TRX GROUP BY state;'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep rolling_back|awk '{print $2}')
if [ "$value" == "" ];then
echo 0
else
echo $value
fi
;;
Innodb_trx_committing) #事务提交数量
value=$(echo 'SELECT LOWER(REPLACE(trx_state, " ", "_")) AS state, count(*) AS cnt from information_schema.INNODB_TRX GROUP BY state;'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep committing|awk '{print $2}')
if [ "$value" == "" ];then
echo 0
else
echo $value
fi
;;
Innodb_trx_history_list_length) #回滚空间中的未清除事务数。随着事务的提交,它的值会增加;随着清除线程的运行,它的值会减小
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "History list length"|awk '{print $4}'
;;
Innodb_last_checkpoint_at) #最后检查日志点
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "Last checkpoint at"|awk '{print $4}'
;;
Innodb_log_sequence_number) #日志序列号码 相当于Innodb自从表空间开始创建直到现在产生日志文件的总字节数
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "Log sequence number"|awk '{print $4}'
;;
Innodb_log_flushed_up_to) #日志刷新点
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "Log flushed up to"|awk '{print $5}'
;;
Innodb_open_read_views_inside_innodb) #打开读视图数量
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "read views open inside InnoDB"|awk '{print $1}'
;;
Innodb_queries_inside_innodb) #Innodb内部查询线程数量
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "queries inside InnoDB"|awk '{print $1}'
;;
Innodb_queries_in_queue) #Innodb内部查询线程队列
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "queries in queue"|awk '{print $5}'
;;
Innodb_hash_seaches) #每秒搜索hash索引数量
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "hash searches"|awk '{print $1}'
;;
Innodb_non_hash_searches) #每秒搜索non-hash索引
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "non-hash searches/s"|awk '{print $4}'
;;
Innodb_node_heap_buffers) #hash索引使用堆节点缓冲区数量
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "node heap"|awk '{print $8}'
;;
Innodb_mutex_os_waits) #互斥锁系统等待数量
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "Mutex spin waits"|awk '{print $9}'
;;
Innodb_mutex_spin_rounds) #互斥锁自旋轮转数量
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "Mutex spin waits"|awk '{print $6}'|tr -d ','
;;
Innodb_mutex_spin_waits) #互斥锁自旋等待数量
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "Mutex spin waits"|awk '{print $4}'|tr -d ','
;;
Innodb_file_read) #数据传输读取IO使用
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "avg bytes/read"|awk '{print $1}'
;;
Innodb_file_write) #数据传输写入IO使用
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "avg bytes/read"|awk '{print $6}'
;;
Innodb_file_fsync) #数据传输写入硬盘IO使用
echo 'show engine innodb status\G'|mysql --defaults-file=/usr/local/lwops/etc/.my.cnf -N|grep "avg bytes/read"|awk '{print $8}'
;;
*)
echo "wrong parameter"
;;
esac
# 给予相应权限
[root@server01 ~]# chown -R lwops:lwops /usr/local/lwops/scripts/mysql_innodb_status.sh
[root@server01 ~]# chown +x /usr/local/lwops/scripts/mysql_innodb_status.sh
# 重启lwops_agentd Agent守护程序即可
[root@server01 ~]# systemctl restart lwops_agentd
添加Mariadb监控对象
查看运行状态
7-5通过新增WEB探测对象,监控门户网站www.chinaskills.cn,查看运行状态;
HTTP
HTTPS
Nginx
[root@rserver ~]# vim /etc/nginx/conf.d/proxy.conf
proxy_cache_path /tmp/cache levels=1:2 keys_zone=web:500m;
server {
listen 80;
server_name rserver.sdskills.com;
location /ngx_status
{
stub_status on;
access_log off;
}
return 301 https://rserver.sdskills.com;
}
server {
server_name rserver.sdskills.com;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/sdskills.crt; # 指定ssl证书和私钥的路径
ssl_certificate_key /etc/nginx/ssl/sdskills.key;
location ~.*\.* {
proxy_pass https://www.sdskills.com;
proxy_set_header x-real-ip $remote_addr;
proxy_cache web;
add_header wall "this is cache web";
proxy_set_header Host $host;
proxy_cache_valid 200 302 301 24h;
proxy_cache_valid any 5m;
}
location /ngx_status
{
stub_status on;
access_log off;
}
}
[root@rserver ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@rserver ~]# /usr/sbin/nginx -s reload
[root@rserver ~]# systemctl restart nginx
[root@rserver ~]# systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-06-26 22:59:39 CST; 12min ago
Docs: http://nginx.org/en/docs/
Main PID: 3378 (nginx)
CGroup: /system.slice/nginx.service
├─3378 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
├─3379 nginx: worker process
├─3380 nginx: worker process
└─3381 nginx: cache manager process
Jun 26 22:59:39 rserver systemd[1]: Stopped nginx - high performance web server.
Jun 26 22:59:39 rserver systemd[1]: Starting nginx - high performance web server...
Jun 26 22:59:39 rserver systemd[1]: Started nginx - high performance web server.
扫一扫
674
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
