备考智能云网运维1022

最新推荐文章于 2024-10-18 13:51:57 发布

ulrica1122

最新推荐文章于 2024-10-18 13:51:57 发布

阅读量222

点赞数

文章标签：运维 java linux

本文链接：https://blog.csdn.net/ulrica1122/article/details/133965568

版权

ulimit
ulimit -a
echo "ulimit -n 65535" >> /etc/profile
echo "ulimit -u 10000" >> /etc/profile

set dns
vim /etc/systemd/resolved.conf
DNS=192.168.23.152
systemctl restart systemd-resolved
systemctl enable systemd-resolved
mv /etc/resolv.conf /etc/resolv.conf.bak
ln -s /run/systemd/resolve/resolv.conf /etc/
systemctl restart systemd-resolved
cat /etc/resolv.conf
nslookup www.openlab.com

---
- name: configure nginx
hosts: webservers
tasks:
- name: change worker processes
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^worker_processes'
line: 'worker_processes 4;'
- name: reload nginx
systemd:
name: nginx
state: reloaded

---
- name: Backup Nginx Log
hosts: webservers
tasks:
- name: Setup Cron For Backup
cron:
name: Backup Nginx Log
minute: "05"
hour: "05"
job: "tar -zcvf /backup/www-{{ansible_date_time.date}}.tar.gz -C /var/log/nginx/*.log"

---
- name: index
hosts: webservers
tasks:
- name: index
template:
src: /etc/ansible/demo/index.html.j2
dest: /var/www/html/index.html
cat index.html.j2
welcome to {{ansible_fqdn}} on {{ansible_default_ipv4.address}}
ansible webservers -m setup >> 11.txt
ansible webservers -m setup | grep defau -A 2

ssh-keygen
cat ~/.ssh/id_rsa.pub
ssh-copy-id 192.168.23.152
ssh-copy-id -p 2222 username@hostname

vim ansible.cfg
[defaults]
inventory = /etc/ansible/demo/inventory
remote_user = root
host_key_checking = False
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False

cat inventory
[webservers]
192.168.23.152
[nginx]
192.168.23.155

ansible all --list-hosts
ansible all -m ping

cat backup.yaml
---
- name: Backup Nginx Log
hosts: webservers
tasks:
- name: Setup Cron For Backup
cron:
name: Backup Nginx Log
minute: "05"
hour: "05"
job: "tar -zcvf /backup/www-{{ansible_date_time.date}}.tar.gz -C /var/log/nginx/*.log"

vim nginx.yaml
---
- name: configure nginx
hosts: webservers
tasks:
- name: change worker processes
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^worker_processes'
line: 'worker_processes 4;'
- name: reload nginx
systemd:
name: nginx
state: reloaded

cat apt.yaml
---
- name: install nginx
hosts: nginx
tasks:
- name: task1
apt:
name: nginx
state: present

---
- name: install the latest version of Apache and MariaDB
hosts: webservers
tasks:
- name: install
apt:
name:
- php
- mariadb-server
state: latest

cat index.yaml
---
- name: index
hosts: webservers
tasks:
- name: index
template:
src: /etc/ansible/demo/index.html.j2
dest: /var/www/html/index.html
cat index.html.j2
welcome to {{ansible_fqdn}} on {{ansible_default_ipv4.address}}
ansible webservers -m setup >> 11.txt
ansible webservers -m setup | grep defau -A 2

{% for i in groups.all %}
{{ hostvars[i].ansible_default_ipv4.address }} {{ hostvars[i].ansible_fqdn}} {{ hostvars[i].ansible_hostname }}
{% endfor %}

ansible demo
copy/template/apt/ufw/iptables/group/file/lineinfile/cron/uri/

DNS
https://blog.csdn.net/qq_48975137/article/details/132340986
apt-get -y install bind

vim /etc/bind/named.conf.default-zones
zone "openlab.com" {
type master;
file "/etc/bind/db.openlab.com";
};

zone "23.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};
vim /etc/bind/db.openlab.com
$TTL   604800
@   IN   SOA   openlab.com. root.localhost. (
           1   ; Serial
           604800       ; Refresh
           86400       ; Retry
           2419200       ; Expire
           604800 )   ; Negative Cache TTL
;
@   IN   NS   localhost.
openlab.com   IN   NS   192.168.23.152
www   IN   A   192.168.23.152

vim /etc/bind/db.192
;
; BIND reverse data file for local loopback interface
;
$TTL   604800
@   IN   SOA   openlab.com. root.localhost. (
           1       ; Serial
           604800       ; Refresh
           86400       ; Retry
           2419200       ; Expire
           604800 )   ; Negative Cache TTL
;
@   IN   NS   www.openlab.com.
152   IN   PTR   www.openlab.com.

vim /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
listen-on port 53 {127.0.0.1;any; };
allow-transfer { none; };
recursion yes;
dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
systemctl restart bind9

iptables -L
iptables -F
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 8088 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 8088 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 8888 -j REDIRECT --to-ports 80
iptables -L --line-numbers
iptables -D [chain] [rule-number]
ufw status
ufw enable/disable
ufw allow 8088
ufw allow from 192.168.1.1
firewall-cmd --add-rich-rule 'rule family=ipv4 port port=22 protocol=tcp source address=x.x.x.x/x accept' --permanent
firewall-cmd --remove-rich-rule 'rule family=ipv4 port port=22 protocol=tcp source address=x.x.x.x/x accept' --permanent
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="10.55.39.75" accept' --permanent
#####
firewall-cmd --permanent --new-zone=trustip
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 port port=21 protocol=tcp drop' --permanent
--remove
firewall-cmd --zone=trustip --add-source=193.173.63.57 --permanent
firewall-cmd --list-all-zones
firewall-cmd --add-rich-rule 'rule family=ipv4 port port=22 protocol=tcp source address=49.74.129.201/32 accept' --permanent

apt install gcc
apt-get install libpcre3 libpcre3-dev
apt-get install zlib1g zlib1g-dev

wget http://nginx.org/download/nginx-1.13.7.tar.gz
tar -xvf nginx-1.13.7.tar.gz
./configure --prefix=/usr/local/nginx
make
make install
vim /home/yxf/nginx-1.13.7/objs/Makefile -Werror

vi /etc/systemd/system/nginx.service
[Unit]
Description=nginx
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true
[Install]
WantedBy=multi-user.target

apt-get install mysql-server

apt install php php-fpm php-mysql
systemctl enable php7.2-fpm

vim /usr/local/nginx/conf/nginx.conf
user www-data;
root /usr/local/nginx/wordpress;
location / {
#root html;
index index.php index.html index.htm;
}
location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
include fastcgi_params;
}
vim /etc/php/7.2/fpm/pool.d/www.conf
listen = /var/run/php/php7.2-fpm.sock

mysql -u root -p
create database wordpress;
create user 'yangxiaofeng'@'localhost' identified by '0o8b5w';
grant all privileges on wordpress.* to yangxiaofeng@localhost;
show databases;
FLUSH PRIVILEGES;

mv wordpress /usr/local/nginx/
vim /usr/local/nginx/wp-config.php

/etc/nginx/sites-available/default
root /var/www/wordpress;
index index.php index.html index.htm index.nginx-debian.html;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
vim /etc/php/7.2/fpm/pool.d/www.conf
apt install php php-fpm php-mysql -y
systemctl enable php7.2-fpm

LB
https://blog.csdn.net/weixin_44188105/article/details/129139629
vim /etc/nginx/sites-enabled/default

vim /etc/nginx/conf.d/nginx.conf
upstream load_banance {

server 192.168.23.152:81 weight=1;
server 192.168.23.155:81 weight=2;
}
server {

listen 80 default_server;
listen [::]:80 default_server;

server_name _;

location / {

proxy_pass http://load_banance;
}
}

upstream myapp1 {
   server srv1.com weight=1;
   server srv2.com:8088 weight=2;
   server 192.168.0.100:8088 weight=3;
}

upstream myapp1 {
   least_conn;
   server srv1.com;
   server srv2.com:8088;
   server 192.168.0.100:8088;
}

upstream myapp1 {
   ip_hash;
   server srv1.com;
   server srv2.com:8088;
   server 192.168.0.100:8088;
}

# cd /root
# . admin-openrc
# openstack project list
# openstack project create --description "Test Project" test
# openstack project set 93f6b89e92dc4ed3b758f530bc2da84e --name test-new
# openstack project show 93f6b89e92dc4ed3b758f530bc2da84e
# openstack project delete 93f6b89e92dc4ed3b758f530bc2da84e
# openstack user list
# openstack user create --domain default --password-prompt tom
# openstack user set tom --name tom-new
# openstack user delete tom-new
# openstack role list
# openstack role create role1
# openstack role add --user testuser --project demo role1
# openstack role remove --user testuser --project demo role1
# openstack role list --user testuser --project demo
# openstack role delete role1
# openstack compute service list
# nova hypervisor-show a69d9575-3029-4641-8157-4be0badb605b

# openstack compute service list
# nova hypervisor-list
# nova hypervisor-show a69d9575-3029-4641-8157-4be0badb605b
# nova hypervisor-stats
# nova hypervisor-servers openstack-563-h2
# nova hypervisor-uptime a69d9575-3029-4641-8157-4be0badb605b

# openstack security group list
# openstack security group rule list
# openstack security group create hello --description "allow ping and ssh"
# openstack security group rule list hello
# openstack security group rule create --protocol icmp hello
# openstack security group rule create --protocol tcp --dst-port 22 hello
# openstack security group rule list hello
# openstack security group rule delete 18ab7052-d416-45af-9de3-cea39109e6ec
# openstack security group rule list hello
# openstack security group delete hello

# openstack image list
# openstack image create ‘test’ --file cirros-0.3.5-x86_64-disk.img --disk-format qcow2 --container-format bare --public
# openstack image set test --private

# openstack flavor create --id 1234 --vcpus 1 --ram 64 --disk 1 m1.nano
# openstack flavor list
# openstack flavor delete 1234

# service neutron-openvswitch-agent restart
# ps -ef|grep neutron-openvswitch-agent
# openstack network create --provider-network-type vxlan privatenetwork
# openstack subnet create --subnet-rang 20.0.0.0/24 --network privatenetwork privatesubnet
# openstack network create --external --provider-physical-network external --provider-network-type flat publicnetwork
# openstack subnet create --subnet-rang 172.171.0.0/24 --network publicnetwork publicsubnet
# openstack router create myroute
# openstack network delete privatenetwork
# openstack network delete publicnetwork

# openstack network list
# openstack security group list
# openstack server create --flavor small --image cirros --nic net-id=e744c24c-2e85-40cd-b3e5-42b092a38702 --security-group default myvm
# openstack server list
# openstack server pause myvm
# openstack server unpause myvm
# openstack server suspend myvm
# openstack server delete myvm

# swift stat
# openstack container create container1
# echo openlab > object.txt
# openstack object create container1 object.txt
# openstack object list container1
# openstack object save --file new-object.txt container1 object.txt

# nova service-list
# nova quota-show --tenant <tenant_id>
# nova list --all-te
# nova show vmid
# nova interface-list vmid
# nova host-describe hostid
# nova aggregate-list
# nova aggregate-details
# nova flavor-list
# nova flavor-show name
# nova hypervisor-list
# nova hypervisor-show
# nova availability-zone-list
# nova list --all-t --host <host_id>
# nova system-tags-show <host_id>
# nova list --all-t --deleted
# nova quota-update <tenant_id> [--ram] -1

# glance image-list
# glance image-show

# neutron agent-list
# neutron port-list | grep
# neutron port-show id
# neutron port-list --network-id <net_id>
# neutron port-list --network-id <net_id> --device_owner network:dhcp
# neutron security-group-list | grep security_groups_id -A 5
# neutron security-group-show <sg_id>
# neutron security-group-rule-list | grep sg-yxf-test0209
# neutron security-group-rule-create --tenant-id <tenant-id> --direction ingress --ethertype IPv4 \
--protocol tcp --port-range-min 80 --port-range-max 80 \
--remote-ip-prefix 193.173.63.57/32 bf4c618d-63c0-4c67-bb80-b0840f4f25d6(security_groups_id)
# neutron net-external-list
# neutron qos-policy-list
# neutron qos-policy-show <qos_id>

# neutron net-list
# nova interface-list vmid
# neutron net-show netID 查
# neutron subnet-show <subnet_id>

# cinder quota-show
# cinder list --all | grep
# cinder show volumeid
# cinder service-list
# cinder extra-specs-list

# neutron quota-show --tenant-id <tenant-id>
# neutron port-list --tenant_id <tenant-id> | wc –l
# neutron quota-update --tenant-id 80646363702443fe8397f075b1345198 --port -1

# nova instance-action-list vmid ###req-id
# nova instance-action vmid req-id

root-ssh
vim /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
PermitRootLogin yes
systemctl restart sshd
systemctl status sshd

groupadd sysmgrs
useradd -G sysmgrs natasha
useradd -s /sbin/nologin natasha
echo redhat | passwd --stdin natasha
useradd -d /home/yangxf -m yangxf
chsh -s /bin/bash

mkdir /home/managers/
chgrp sysmgrs /home/managers
chmod 2770 /home/managers
crontab
crontab -e -u natasha
*/2 * * * * logger “hello rhcsa”
crontab -l -u natasha

SELinux（centos）
getenforce
vim /etc/selinux/config
vim /etc/selinux/config
semanage port -l | grep http
semanage port -a -t http_port_t -p tcp 82
restorecon -Rv /var/www/html/

ulimit
ulimit -a
echo "ulimit -n 65535" >> /etc/profile
echo "ulimit -u 10000" >> /etc/profile
source /etc/profile

touch file1 file2
getfacl file1 file2
sudo useradd op1
sudo passwd op1
setfacl -m u:op1:rw- file1
getfacl file1
setfacl -m g:op1:rw- file1
setfacl -x g:op1 file1
vim temp.txt
u:op1:rwx
setfacl -M temp.txt file1
getfcl --omit-header file1
setfacl -b file1
chacl u::rwx,g::rw-,o::--- file1 file2
setfacl -m u::rwx,g::rw-,o::--- file1 file2
chacl -l file1 file2
setfacl --set=u::rw-,g::rw-,o::r--,u:op1:rw- file1
mkdir mydir
getfacl -R mydir
setfacl -R -m u:op1:rwx mydir
setfacl -m o::r-- mydir
getfacl --omit-header mydir
mkdir dir1
getfacl --omit-header dir1
setfacl -m d:g::rw-,d:o::r-- mydir2
getfacl mydir2
chacl -d u::rwx,g::r--,o::r-- mydir
getfacl --omit-header mydir
chacl -B *
chacl -B *

ps -l
vi ~/.bashrc &
nice -n -5 vi &

nice -n +5 vi &
vi &
ps -l
renice +10 4274
ps -l | grep vim
nice
renice 8 27091

RHCE8
1、/etc/ansible/ansible.cfg
2、ansible-doc yum_repository

---
- name: create lv
hosts: all
tasks:
- name: create pv and vg
lvg:
pvs: /dev/vdb
vg: vg0
state: present
ignore_errors: yes

- name: test vg0
command: vgdisplay vg0
ignore_errors: yes
register: vg_result

- name: message
debug:
msg: "vg group does not exist"
when: vg_result.rc != 0

- name: create lv
block:
- name: create 1.5G lv
lvol:
vg: vg0
lv: lv0
size: 1500m
rescue:
- name: debug msg
debug:
msg: "could not create lv of that size"
- name: create 800m lv
lvol:
vg: vg0
lv: lv0
size: 800m
ignore_errors: yes

- name: mkfs.ext4
filesystem:
dev: /dev/vg0/lv0
fstype: ext4
ignore_errors: yes



1111
inventory
[dev]
servera.lab.example.com
[test]
serverb.lab.example.com
[prod]
serverc.lab.example.com
serverd.lab.example.com
[balancers]
bastion.lab.example.com
[webservers:children]
prod
ansible.cfg
[defaults]
inventory = ./inventory
roles_path = ./roles
remote_user = student
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False

ansible all --list-hosts
ansible-galaxy list
ansible all -m ping

2222
#!/bin/bash
ansible all -m yum_repository -a 'name=EX294_BASE description="EX294 base software" baseurl=http://content.example.com/rhel8.0/x86_64/dvd/BaseOS gpgcheck=yes gpgkey=http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release enabled=yes'
ansible all -m yum_repository -a 'name=EX294_STREAM description="EX294 stream software" baseurl=http://content.example.com/rhel8.0/x86_64/dvd/AppStream gpgcheck=yes gpgkey=http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release enabled=yes'
chmod a+x ad-hoc.sh

3333
---
- name: install
hosts: dev,test,prod
tasks:
- name: install
yum:
name:
- php
- mariadb
state: present
- name: install2
yum:
name: "@Development Tools"
state: present
when: inventory_hostname in groups.dev
- name: update
yum:
name: '*'
state: latest
when: inventory_hostname in groups.dev

4444a
---
- name: task
hosts: all
vars:
timesync_ntp_servers:
- hostname: 172.25.254.254
iburst: yes
roles:
- rhel-system-roles.timesync

4444b
---
- name: task
hosts: all
vars:
selinux_state: enforcing
roles:
- rhel-system-roles.selinux

5555
cat requirements.yml
---
- src: http://materials.example.com/phpinfo.tar
name: phpinfo

- src: http://materials.example.com/haproxy.tar
name: balance
ansible-galaxy install -r ./requirements.yml -p ./roles/
ansible-galaxy list

6666
ansible-galaxy init apache
main.yml
---
# tasks file for apache
- name: task1
yum:
name: httpd
state: present
- name: task2
service:
name: firewalld
state: started
enabled: yes
- name: task3
firewalld:
port: 80/tcp
permanent: yes
state: enabled
immediate: yes
- name: task4
template:
src: index.html.j2
dest: /var/www/html/index.html
- name: task5
service:
name: httpd
state: started
enabled: yes
templates
ansible dev -m setup | grep defau -A 2
ansible dev -m setup | grep fqdn
Welcome to {{ansible_fqdn}} on {{ansible_default_ipv4.address}}

---
- name: task1
hosts: webservers
roles:
- apache
curl http://serverc

7777
---
- name: task1
hosts: webservers
roles:
- phpinfo
- name: task2
hosts: balancers
roles:
- balance
tasks:
- name: task2-1
service:
name: firewalld
state: started
enabled: yes
- name: task2-2
firewalld:
port: 80/tcp
permanent: yes
state: enabled
immediate: yes
8888
---
- name: task
hosts: all
tasks:
- name: task1
block:
- name: task1-1
parted:
number: 1
part_end: 1500MiB
device: /dev/vdb
state: present
flags: [lvm]
rescue:
- name: task1-2
debug:
msg: "could not create lv of that size"
- name: task1-3
parted:
number: 1
part_end: 800MiB
device: /dev/vdb
state: present
flags: [lvm]
ignore_errors: yes
- name: task2
lvg:
pvs: /dev/vdb1
vg: vg0
ignore_errors: yes
- name: task2-1
shell: "vgdisplay vg0"
register: vg
- name: task2-1-1
debug:
msg: "vg group does not exist"
when: vg.rc != 0
- name: task2-2
lvol:
vg: vg0
lv: lv0
size: 100%FREE
ignore_errors: yes
- name: task3
filesystem:
fstype: ext4
dev: /dev/vg0/lv0
ignore_errors: yes
blkid /dev/vg0/lv0

9999

ansible dev -m setup | grep
{% for i in groups.all %}
{{ hostvars[i].ansible_default_ipv4.address }} {{ hostvars[i].ansible_fqdn}} {{ hostvars[i].ansible_hostname }}
{% endfor %}

---
- name: set hosts
hosts: all
tasks:
- name: create file
template:
src: ./hosts.j2
dest: /etc/myhosts
when: inventory_hostname in groups.dev
1010
---
- name: task
hosts: all
tasks:
- name: task1
copy:
content: "Development\n"
dest: /etc/issue
when: inventory_hostname in groups.dev
- name: task2
copy:
content: "Test\n"
dest: /etc/issue
when: inventory_hostname in groups.test

- name: task3
copy:
content: "Production\n"
dest: /etc/issue
when: inventory_hostname in groups.prod

1011
ls -Zd /var/www/html隐藏
---
- name: task
hosts: dev
tasks:
- name: task1
group:
name: webdev
state: present
- name: task2
file:
path: /webdev
group: webdev
mode: '2755'
state: directory
setype: httpd_sys_content_t
- name: task3
file:
src: /webdev
dest: /var/www/html/webdev
state: link

- name: task4
copy:
content: "Development\n"
dest: /webdev/index.html
setype: httpd_sys_content_t
- name: task5
firewalld:
port: 80/tcp
permanent: yes
immediate: yes
state: enabled
- name: task6
service:
name: httpd
state: restarted
enabled: yes

1012
ansible dev -m setup |grep mem
ansible dev -m setup |less
---
- name: task
hosts: all
tasks:
- name: task1
get_url:
url: http://materials.example.com/hwreport.empty
dest: /root/hwreport.txt
- name: task2-1
lineinfile:
dest: /root/hwreport.txt
regexp: '^HOST'
line: "HOST={{ inventory_hostname }}"
- name: task2-2
lineinfile:
dest: /root/hwreport.txt
regexp: '^MEMORY'
line: "MEMORY={{ ansible_memtotal_mb }}"
- name: task2-3
lineinfile:
dest: /root/hwreport.txt
regexp: '^BIOS'
line: "BIOS={{ ansible_bios_version }}"
- name: task2-4
lineinfile:
dest: /root/hwreport.txt
regexp: '^DISK_SIZE_VDA'
line: "DISK_SIZE_VDA={{ ansible_devices.vda.size }}"
- name: task2-5
lineinfile:
dest: /root/hwreport.txt
regexp: '^DISK_SIZE_VDB'
line: "DISK_SIZE_VDB={{ ansible_devices.vdb.size }}"
when: ansible_devices.vdb is defined
- name: task2-6
lineinfile:
dest: /root/hwreport.txt
regexp: '^DISK_SIZE_VDB'
line: "DISK_SIZE_VDB=NONE"
when: ansible_devices.vdb is not defined

1013
ansible-vault create locker.yml
ansible-vault view locker.yml
pw_developer: Imadev
pw_manager: Imamgr

1014
---
- name: task1
hosts: dev,test,prod
tasks:
- name: task1-1
group:
name: devops
state: present
when: inventory_hostname in groups.dev or inventory_hostname in groups.test
- name: task1-2
group:
name: opsmgr
state: present
when: inventory_hostname in groups.prod
- name: task2
hosts: dev,test
vars_files:
- user_list.yml
- locker.yml
tasks:
- name: task2-1
user:
name: "{{ item.name }}"
groups: devops
comment: "{{ item.job }}"
state: present
password: "{{ pw_developer | password_hash('sha512') }}"
loop: "{{ users }}"
when: item.job == "developer"
- name: task3
hosts: prod
vars_files:
- user_list.yml
- locker.yml
tasks:
- name: task3-1
user:
name: "{{ item.name }}"
groups: opsmgr
comment: "{{ item.job }}"
state: present
password: "{{ pw_manager | password_hash('sha512') }}"
loop: "{{ users }}"
when: item.job == "manager"
ansible-playbook --vault-password-file=secret.txt users.yml

1015
ansible-vault rekey salaries.yml

1016
---
- name: task
hosts: all
tasks:
- name: task1
cron:
name: "defining cron job"
minute: '*/2'
user: student
job: logger "EX294 in progress"
state: present

验证：crontab -l -u student

su vyos
$ configure
# set system host-name R1
# commit
# save
# exit

$ configure
# set interfaces ethernet eth1 address 10.0.0.1/24
# set interfaces ethernet eth2 address 192.168.1.1/24
# set interfaces loopback lo address 1.1.1.1/32
# commit
# save
# exit

DHCP
$ configure
# set service dhcp-server shared-network-name 'LAN' subnet '192.168.1.0/24' start '192.168.1.10' stop '192.168.1.254'
# set service dhcp-server shared-network-name 'LAN' subnet '192.168.1.0/24' domain-name 'internal-net'
# set service dhcp-server shared-network-name 'LAN' subnet '192.168.1.0/24' lease 86400
# commit

# dhclient ens4
///
IP
# ifconfig ens4 192.168.1.10 netmask 255.255.255.0

R2
OSPF
$ configure
# set protocols ospf area 0 network 30.0.0.0/24
# set protocols ospf area 0 network 40.0.0.0/24
# set protocols ospf area 0 network 2.2.2.2/32
# commit
# save

run show ip route

ping 60.0.0.2 -c 3

R2
BGP
$ configure
# set protocols bgp 100 neighbor 3.3.3.3 remote-as 100
# set protocols bgp 100 neighbor 3.3.3.3 update-source 2.2.2.2
# set protocols bgp 100 neighbor 3.3.3.3 nexthop-self

# set protocols bgp 100 neighbor 4.4.4.4 remote-as 100
# set protocols bgp 100 neighbor 4.4.4.4 update-source 2.2.2.2
# set protocols bgp 100 neighbor 4.4.4.4 nexthop-self
# commit

eBGP
# set protocols bgp 100 neighbor 10.0.0.1 remote-as 200
# set protocols bgp 100 neighbor 10.0.0.1 update-source 10.0.0.2
# set protocols bgp 100 neighbor 10.0.0.1 ebgp-multihop 2
# commit

OSPF-BGP
# set protocols bgp 100 redistribute connected metric 1
# set protocols bgp 100 redistribute ospf metric 2
# commit
# save

R1-Host-AS200
eBGP
# set protocols bgp 200 neighbor 10.0.0.2 remote-as 100
# set protocols bgp 200 neighbor 10.0.0.2 update-source 10.0.0.1
# set protocols bgp 200 neighbor 10.0.0.2 ebgp-multihop 2
# commit
# save

R4-Host-AS100
$ configure
# set protocols bgp 100 neighbor 2.2.2.2 remote-as 100
# set protocols bgp 100 neighbor 2.2.2.2 update-source 4.4.4.4

# set protocols bgp 100 neighbor 3.3.3.3 remote-as 100
# set protocols bgp 100 neighbor 3.3.3.3 update-source 4.4.4.4
# commit

R3-AS100
$ configure
# set protocols bgp 100 neighbor 2.2.2.2 remote-as 100
# set protocols bgp 100 neighbor 2.2.2.2 update-source 3.3.3.3
# set protocols bgp 100 neighbor 2.2.2.2 nexthop-self

# set protocols bgp 100 neighbor 4.4.4.4 remote-as 100
# set protocols bgp 100 neighbor 4.4.4.4 update-source 3.3.3.3
# set protocols bgp 100 neighbor 4.4.4.4 nexthop-self
# commit

eBGP
# set protocols bgp 100 neighbor 20.0.0.1 remote-as 300
# set protocols bgp 100 neighbor 20.0.0.1 update-source 20.0.0.2
# set protocols bgp 100 neighbor 20.0.0.1 ebgp-multihop 2
# commit

# set protocols bgp 100 redistribute connected metric 1
# set protocols bgp 100 redistribute ospf metric 2
# commit
# save

OSPF-BGP
# set protocols bgp 100 redistribute connected metric 1
# set protocols bgp 100 redistribute ospf metric 2
# commit
# save

R5-Host-AS300
eBGP
# set protocols bgp 300 neighbor 20.0.0.2 remote-as 100
# set protocols bgp 300 neighbor 20.0.0.2 update-source 20.0.0.1
# set protocols bgp 300 neighbor 20.0.0.2 ebgp-multihop 2
# commit
# save

NAT
# set nat source rule 100 outbound-interface eth1
# set nat source rule 100 source address 192.168.1.0/24
# set nat source rule 100 translation address masquerade
# commit
# save

# set nat source rule 100 outbound-interface eth1
# set nat source rule 100 source address 192.168.0.0/24
# set nat source rule 100 translation address masquerade
# commit
# save

show nat

HOST-ROUTE
route add -net 20.0.0.0/24 gw 60.0.0.1

vim /etc/netplan/00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
ethernets:
ens33:
dhcp4: true
nameservers:
addresses: [192.168.23.152]
routes:
- to: 10.10.10.0/24
via: 192.168.23.2
version: 2
netplan apply

VPN
R5
# set vpn ipsec esp-group office-srv-esp compression 'disable'
# set vpn ipsec esp-group office-srv-esp lifetime '1800'
# set vpn ipsec esp-group office-srv-esp mode 'tunnel'
# set vpn ipsec esp-group office-srv-esp pfs 'enable'
# set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
# set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'

# set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
# set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
# set vpn ipsec ike-group office-srv-ike lifetime '3600'
# set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
# set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'

# set vpn ipsec ipsec-interfaces interface 'eth1'

# set vpn ipsec site-to-site peer 10.0.0.1 authentication mode 'pre-sharedsecret'
# set vpn ipsec site-to-site peer 10.0.0.1 authentication pre-shared-secret 'openlab'
# set vpn ipsec site-to-site peer 10.0.0.1 ike-group 'office-srv-ike'
# set vpn ipsec site-to-site peer 10.0.0.1 local-address '20.0.0.1'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 allow-nat-networks 'disable'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 allow-public-networks 'disable'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 esp-group 'office-srv-esp'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 local prefix '192.168.0.0/24'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 remote prefix '192.168.1.0/24'
# show vpn ipsec site-to-site peer 10.0.0.1

R1
# set vpn ipsec esp-group office-srv-esp compression 'disable'
# set vpn ipsec esp-group office-srv-esp lifetime '1800'
# set vpn ipsec esp-group office-srv-esp mode 'tunnel'
# set vpn ipsec esp-group office-srv-esp pfs 'enable'
# set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
# set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'

# set vpn ipsec ipsec-interfaces interface 'eth1'

# set vpn ipsec site-to-site peer 20.0.0.1 authentication mode 'pre-sharedsecret'
# set vpn ipsec site-to-site peer 20.0.0.1 authentication pre-shared-secret 'openlab'
# set vpn ipsec site-to-site peer 20.0.0.1 ike-group 'office-srv-ike'
# set vpn ipsec site-to-site peer 20.0.0.1 local-address '10.0.0.1'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 allow-nat-networks 'disable'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 allow-public-networks 'disable'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 esp-group 'office-srv-esp'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 local prefix '192.168.1.0/24'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 remote prefix '192.168.0.0/24'
# show vpn ipsec site-to-site peer 20.0.0.1

run show vpn ike sa
run show vpn ipsec sa

R1-del-NAT
# set nat source rule 99 outbound-interface eth1
# set nat source rule 99 destination address 192.168.0.0/24
# set nat source rule 99 exclude
# commit
# show nat source rule 99

R5-del-NAT
# set nat source rule 99 outbound-interface eth1
# set nat source rule 99 destination address 192.168.1.0/24
# set nat source rule 99 exclude
# commit
# show nat source rule 99