文章目录
一、实现基于MYSQL验证的vsftpd虚拟用户访问
1.1环境准备
一台做Mariadb数据库服务器(mysql 8.0版本不支持password函数)
一台做为FTP服务器CentOS7
1.2数据库服务器配置
-
安装mysql数据库
[root@centos8 ~]#yum -y install mariadb-server [root@centos8 ~]#systemctl enable --now mariadb.service
-
在数据库服务上配置数据库支持vsftpd服务
MariaDB [(none)]> create database vsftpd_DB;
Query OK, 1 row affected (0.001 sec)
MariaDB [(none)]> use vsftpd_DB
Database changed
MariaDB [vsftpd_DB]> create table users
-> (id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,
-> name CHAR(50) BINARY NOT NULL,
-> password CHAR(48) BINARY NOT NULL);
Query OK, 0 rows affected (0.043 sec)
#添加虚拟用户,为了安全应该使用PASSWORD函数加密其密码后存储
#注意:MySQL8.0取消了PASSWORD()函数
MariaDB [vsftpd_DB]> insert into users(name,password) values('ftp_jiangde',password('Test@123'));
Query OK, 1 row affected (0.003 sec)
MariaDB [vsftpd_DB]> insert into users(name,password) values('ftp_HY',password('Test@123'));
Query OK, 1 row affected (0.001 sec)
MariaDB [vsftpd_DB]> select * from users;
+----+-------------+-------------------------------------------+
| id | name | password |
+----+-------------+-------------------------------------------+
| 1 | ftp_jiangde | *BCF4F28E525ED7EE4664FFFF4DAE13EC14A6ABE1 |
| 2 | ftp_HY | *BCF4F28E525ED7EE4664FFFF4DAE13EC14A6ABE1 |
+----+-------------+-------------------------------------------+
2 rows in set (0.001 sec)
#创建连接的数据库用户
MariaDB [vsftpd_DB]> grant select on vsftpd_DB.* to vsftpd_user@'192.168.1.%' identified by 'Test@1234';
Query OK, 0 rows affected (0.002 sec)
MariaDB [vsftpd_DB]> flush privileges;
Query OK, 0 rows affected (0.001 sec)
MariaDB [vsftpd_DB]>
1.3 ftp服务器配置
-
在FTP服务器上安装vsftpd 和 pam_mysql包
[root@centos7 ~]#yum -y install vsftpd #pam-mysql 需要编译安装 [root@centos7 ~]#yum -y install vsftpd gcc gcc-c++ mariadb-devel pam-devel [root@CentOS7 ~]# wget --no-check-certificate https://nchc.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz [root@centos7 ~]#tar xvf pam_mysql-0.7RC1.tar.gz [root@centos7 ~]#cd pam_mysql-0.7RC1/ [root@centos7 pam_mysql-0.7RC1]#./configure --with-pam-mods-dir=/lib64/security [root@centos7 pam_mysql-0.7RC1]#make install #编译安装后的文件 [root@centos7 pam_mysql-0.7RC1]#ll lib64/security/pam_mysql* -rwxr-xr-x 1 root root 882 Dec 17 14:34 /lib64/security/pam_mysql.la -rwxr-xr-x 1 root root 141712 Dec 17 14:34 /lib64/security/pam_mysql.so
-
在FTP服务器上建立pam认证所需文件
[root@CentOS7 pam_mysql-0.7RC1]# cat /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd_user passwd=Test@1234 host=192.168.1.42 db=vsftpd_DB table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd_user passwd=Test@1234 host=192.168.1.42 db=vsftpd_DB table=users usercolumn=name passwdcolumn=password crypt=2
[root@CentOS7 pam_mysql-0.7RC1]#
- 建立相应用户和修改vsftpd配置文件
[root@CentOS7 ~]# useradd -r -s /sbin/nologin -d /data/ftproot vuser
[root@CentOS7 ~]# mkdir -p /data/ftproot/upload
[root@CentOS7 ~]# setfacl -m u:vuser:rwx /data/ftproot/upload
[root@CentOS7 ~]# ll /data/ftproot/
total 0
drwxrwxr-x+ 2 root root 6 May 5 11:27 upload
[root@centos7 ~]#vim /etc/vsftpd/vsftpd.conf
#添加下面两项
guest_enable=YES
guest_username=vuser
#修改下面一项,原系统用户无法登录
pam_service_name=vsftpd.mysql
[root@CentOS7 ~]# systemctl start vsftpd
[root@CentOS7 ~]# systemctl status vsftpd
● vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2022-05-05 11:32:20 CST; 6s ago
Process: 30055 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
Main PID: 30056 (vsftpd)
CGroup: /system.slice/vsftpd.service
└─30056 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
May 05 11:32:20 CentOS7.9.example.com systemd[1]: Starting Vsftpd ftp daemon...
May 05 11:32:20 CentOS7.9.example.com systemd[1]: Started Vsftpd ftp daemon.
[root@CentOS7 ~]#
-
在FTP服务器上配置虚拟用户具有不同的访问权限
vsftpd可以在配置文件目录中为每个用户提供单独的配置文件以定义其ftp服务访问权限,每个虚拟用户的配置文件名同虚拟用户的用户名。 配置文件目录可以是任意未使用目录,只需要在vsftpd.conf指定其路径及名称即可
#配置vsftpd为虚拟用户使用配置文件目录
[root@centos7 ~]#vim /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/conf.d/
#创建所需要目录,并为虚拟用户提供配置文件
[root@centos7 ~]#mkdir /etc/vsftpd/conf.d/
#虚拟用户对vsftpd服务的访问权限是通过匿名用户的相关指令进行的。如要让用户wang具有上传文件的权限,可修改/etc/vsftpd/vusers.d/wang文件,在里面添加如下选项并设置为YES即可,只读则设为NO
#注意:需确保对应的映射用户对于文件系统有写权限
[root@centos7 ~]#vim /etc/vsftpd/conf.d/ftp_jiangde
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
#登录目录改变至指定的目录
local_root=/data/ftproot
1.4 测试验证
- 使用windows客户端进行测试
二、配置samba共享,实现/www目录共享
2.1 samba服务器端配置
[root@CentOS7 ~]#yum -y install samba
[root@CentOS7 ~]#groupadd -r admins
[root@CentOS7 ~]#useradd -s /sbin/nologin -G admins jd
[root@CentOS7 ~]# smbpasswd -a jd
New SMB password:
Retype new SMB password:
[root@CentOS7 ~]#useradd -s /sbin/nologin smb_test
[root@CentOS7 ~]#smbpasswd -a smb_test
New SMB password:
Retype new SMB password:
#创建samba共享目录,并设置权限
[root@CentOS7 ~]#mkdir /www
[root@CentOS7 ~]# ll /www -d
drwxr-xr-x. 2 root root 6 May 5 16:08 /www
root@CentOS7 ~]#chgrp admins /www
[root@CentOS7 ~]#chmod 2775 /www
[root@CentOS7 ~]# ll /www -d
drwxrwsr-x. 2 root admins 6 May 5 16:08 /www
#samba服务器配置
[root@CentOS7 ~]vim /etc/samba/smb.conf
...前面省略,增加下面配置...
[www]
path = /testdir/www
write list = @admins
[root@CentOS7 ~]systemctl enable --now smb
2.2 客户端访问
代码如下(示例):
[root@localhost ~]#yum -y install cifs-utils
[root@localhost ~]#mkdir /mnt/jd
[root@localhost ~]#mount -o user=jd,password=Test@123 //192.168.1.33/www /mnt/jd
[root@localhost ~]#mkdir /mnt/smbtest
[root@localhost ~]#mount -o user=smb_test,password=Test@123 //192.168.1.33/www /mnt/smbtest
[root@localhost ~]# touch /mnt/smb3/test.txt
[root@localhost ~]# ll /mnt/smb3
total 0
-rwxr-xr-x 1 root root 0 May 6 00:11 test.txt
[root@localhost ~]# ll /mnt/smbtest
total 0
-rwxr-xr-x 1 root root 0 May 6 00:11 test.txt
[root@localhost ~]#
[root@localhost ~]# touch /mnt/smbtest/test2.txt
touch: cannot touch '/mnt/smbtest/test2.txt': Permission denied
[root@localhost ~]# mount -o user=jd,password=Test@123 //192.168.1.33/www /mnt/jd
[root@localhost ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
...省略...
tmpfs 96400 0 96400 0% /run/user/0
//192.168.1.33/www 104806400 2706864 102099536 3% /mnt/smbtest
//192.168.1.33/www 104806400 2706864 102099536 3% /mnt/smb3
//192.168.1.33/www 104806400 2706864 102099536 3% /mnt/jd
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# echo "test123" > /mnt/jd/test123
#在服务器端查看
[root@CentOS7 ~]# ll /www
total 4
-rwxr--r--. 1 jd admins 8 May 5 16:24 test123
-rwxr--r--. 1 smb3 admins 0 May 6 2022 test1.txt
-rwxr--r--. 1 smb3 admins 0 May 6 2022 test.txt
三、使用rsync+inotify实现/www目录实时同步
3.1环境准备
一台做rsync服务器(backup-server,rsyncd,/data/backup)
一台做data+inotify (data-server,inotify,/data/www)
3.2 rsyncd服务器端
[root@localhost ~]# yum install -y rsync
[root@localhost ~]# cat /etc/rsyncd.conf
uid = root
gid = root
max connections = 0
ignore errors
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
exclude = lost+found/
#port = 874
#use chroot = no
[backup]
path = /data/backup/
comment = backup dir
read only = no
auth users = rsyuser
secrets file = /etc/rsync.pas
[root@localhost ~]#mkdir -p /data/backup
[root@localhost ~]#echo "rsyuser:Test@123" > /etc/rsync.pas
[root@localhost ~]#chmod 600 /etc/rsync.pas
[root@localhost ~]#systemctl start rsyncd
3.3 data侧配置
[root@CentOS7 ~]# mkdir /data/www
[root@CentOS7 ~]#echo "Test@123" > /etc/rsync.pas
[root@CentOS7 ~]#chmod 600 /etc/rsync.pas #此为必要项,权限必须修改
[root@CentOS7 ~]# rsync rsync://192.168.1.42
backup backup dir
[root@CentOS7 www]# rsync -avz --delete --password-file=/etc/rsync.pas /data/www/ rsync://rsyuser@192.168.1.42/backup
sending incremental file list
deleting backup.txt
./
datawww.txt
sent 113 bytes received 52 bytes 330.00 bytes/sec
total size is 0 speedup is 0.00
[root@CentOS7 www]#
3.4 编写脚本实现实时数据同步
注意: 此脚本执行前先确保两主机初始数据处于同步状态,此脚本实现后续的数据同步
[root@CentOS7 www]# cat /root/inotify_rsync.sh
#!/bin/bash
SRC='/data/www/' #注意最后的/
DEST='rsyuser@192.168.1.42::backup'
rpm -q rsync &>/dev/null || yum -y install rsync
rpm -q inotify-tools &>/dev/null || yum -y install inotify-tools
inotifywait -mrq --exclude=".*\.swp" --timefmt '%Y-%m-%d %H:%M:%S' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} | while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pas $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
[root@CentOS7 www]#bash /root/inotify_rsync.sh & #运行在后台监控
[root@CentOS7 www]#mkidr testdir #新增目录,可以看到下面的备份服务器会自动同步过去。
[root@CentOS7 ~]# cat /var/log/changelist.log
At 22:53:59 on 2022-05-05, file /data/www/testdir was backuped up via rsync
At 22:54:24 on 2022-05-05, file /data/www/backuptest.txt was backuped up via rsync
在备份服务器上查看相关文件
[root@localhost backup]# watch -n0.5 ls -l /data/backup
四、LVS调度算法总结
ipvs scheduler:根据其调度时是否考虑各RS当前的负载状态,分为两种,分别为静态方法和动态方法。
4.1 静态方法
仅根据算法本身进行调度:
- RR:roundrobin,轮询,较常用
- WRR:Weighted RR,加权轮询,较常用
- SH:Source Hashing,实现session sticky,源IP地址hash;将来自于同一个IP地址的请求始终发往第一次挑中的RS,从而实现会话绑定
- DH:Destination Hashing;目标地址哈希,第一次轮询调度至RS,后续将发往同一个目标地址的请求始终转发至第一次挑中的RS,典型使用场景是正向代理缓存场景中的负载均衡,如: Web缓存
4.2 动态方法
主要根据每RS当前的负载状态及调度算法进行调度Overhead=value 较小的RS将被调度
- LC:least connections 适用于长连接应用
- WLC:Weighted LC,默认调度方法,较常用
- SED:Shortest Expection Delay,初始连接高权重优先,只检查活动连接,而不考虑非活动连接
- NQ:Never Queue,第一轮均匀分配,后续SED
- LBLC:Locality-Based LC,动态的DH算法,使用场景:根据负载状态实现正向代理,实现Web Cache等
- LBLCR:LBLC with Replication,带复制功能的LBLC,解决LBLC负载不均衡问题,从负载重的复制到负载轻的RS,实现Web Cache等
五、LVS的跨网络DR实现
5.1 环境准备
5.2 网络配置
所有主机禁用iptables和SELinux
给这五台设备配置ip地址,对照上图的规划一一配上。需要注意,router设备需要开启ip_forward功能。完成后,从Client主机上就可以ping LVS和RS1\RS2
[root@router ~]#echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
[root@router ~]#sysctl -p
在Client端ping测试
[root@Client ~]# ping -c1 192.168.21.7
PING 192.168.21.7 (192.168.21.7) 56(84) bytes of data.
64 bytes from 192.168.21.7: icmp_seq=1 ttl=63 time=0.868 ms
[root@Client ~]# ping -c1 192.168.21.8
PING 192.168.21.8 (192.168.21.8) 56(84) bytes of data.
64 bytes from 192.168.21.8: icmp_seq=1 ttl=63 time=0.957 ms
[root@Client ~]# ping -c1 192.168.21.10
PING 192.168.21.10 (192.168.21.10) 56(84) bytes of data.
64 bytes from 192.168.21.10: icmp_seq=1 ttl=63 time=0.588 ms
5.3 后端RS的IPVS配置
#RS1的IPVS配置(RS2的IPVS配置与下面一样)
[root@rs1 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@rs1 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
[root@rs1 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
[root@rs1 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@rs1 ~]# ip address add 172.16.0.100 dev lo #这是临时配置ip地址,如果要永久的话,需要写入配置文件里。
5.4 LVS的配置
#在LVS上添加VIP
[root@lvs ~]# ip address 172.16.0.100/32 dev lo
#实现LVS 规则
[root@lvs ~]# yum -y install ipvsadm
[root@lvs ~]# ipvsadm -A -t 172.16.0.100:80 -s rr
[root@lvs ~]# ipvsadm -a -t 172.16.0.100:80 -r 192.168.21.7:80 -g
[root@lvs ~]# ipvsadm -a -t 172.16.0.100:80 -r 192.168.21.8:80 -g
[root@lvs ~]# ipvsadm -Ln
[root@LVS ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.0.100:80 rr
-> 192.168.21.7:80 Route 1 0 0
-> 192.168.21.8:80 Route 1 0 0
5.5 测试
多网段的需要在router上配置VIP同段的地址
[root@Router ~]# ip address add 172.16.0.200/24 dev ens33
[root@Client ~]# curl 172.16.0.100
RS2:192.168.21.8
[root@Client ~]# curl 172.16.0.100
RS1:192.168.21.7
[root@Client ~]# curl 172.16.0.100
RS2:192.168.21.8
[root@Client ~]# curl 172.16.0.100
RS1:192.168.21.7
[root@Client ~]# curl 172.16.0.100
RS2:192.168.21.8
[root@Client ~]# curl 172.16.0.100
RS1:192.168.21.7
[root@Client ~]# curl 172.16.0.100
RS2:192.168.21.8
[root@Client ~]# curl 172.16.0.100
RS1:192.168.21.7
[root@Client ~]# curl 172.16.0.100
RS2:192.168.21.8
[root@Client ~]# curl 172.16.0.100
RS1:192.168.21.7
[root@Client ~]# curl 172.16.0.100
RS2:192.168.21.8
[root@Client ~]# curl 172.16.0.100
RS1:192.168.21.7
[root@Client ~]#