observium和librenms常用配置

librenms.conf  nginx配置

server {
 listen      80;
 server_name librenms.XXX.com;
 root        /opt/librenms/html/;
 index       index.php;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {expires 30d;}
        location ~ .*\.(js|css)?$ { expires 12h;}

 location / { try_files $uri $uri/ /index.php?$query_string; }
 location /api/v0 { try_files $uri $uri/ /api_v0.php?$query_string; }
 location ~ \.php {
  include fastcgi.conf;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/dev/shm/librenms.sock;
  fastcgi_param SCRIPT_FILENAME $request_filename;
}
 location ~ /\.ht { deny all; }
}

observium.conf nginx配置

server {
    listen 80;
    root /opt/observium/html/;
    index index.php;
    server_name   observium.XXX.com;
    error_log /var/log/nginx/observium.error.log ;
    access_log /var/log/nginx/observium.log ;

 location / { try_files $uri $uri/ /index.php?$query_string; }
 location /api/v0 { try_files $uri $uri/ /api_v0.php?$query_string; }
 location ~ \.php {
  include fastcgi.conf;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/dev/shm/php-fpm.sock;
  fastcgi_param SCRIPT_FILENAME $request_filename;
 }
}

observium.sh  升级迭代版本

cd /opt
mv observium observium_old
wget  http://www.observium.org/observium-community-latest.tar.gz -O -|tar xz
mv /opt/observium_old/{rrd,logs,config.php} /opt/observium/
/opt/observium/discovery.php -u
/opt/observium/discovery.php -h all
rm -rf observium_old

Centos8切换到Stream版本

大致先更换vault源，然后执行切换升级。

# CentOS 8 
minorver=8.5.2111
sudo sed -e "s|^mirrorlist=|#mirrorlist=|g" \
         -e "s|^#baseurl=http://mirror.centos.org/\$contentdir/\$releasever|baseurl=https://mirrors.aliyun.com/centos-vault/$minorver|g" \
         -i.bak \
         /etc/yum.repos.d/CentOS-*.repo

然后dnf更新系统。

dnf install centos-release-stream -y
dnf swap centos-linux-repos centos-stream-repos -y
dnf distro-sync -y

可能有一些第三方包不能升级， 也有可能遇上centos-release-stream安装失败的情况。

MacOS安装mtr pkg包

用brew安装的mtr安装或多或少的会有一些问题，直接下载pkg来安装来的方便一些。

http://rudix.org

https://github.com/rudix-mac/packages/

Linux的dns使用tcp协议解析

因为攻击原因UDP协议禁用了后影响到DNS解析了.

echo "options use-vc" >> /etc/resolv.conf

use-vc (since glibc 2.14)
                     Sets RES_USEVC in _res.options.  This option forces
                     the use of TCP for DNS resolutions.

https://man7.org/linux/man-pages/man5/resolv.conf.5.html

dnsdist.conf

# cat /etc/dnsdist/dnsdist.conf
newServer({address="8.8.8.8:53",useClientSubnet=true,maxCheckFailures=30,qps=10000})
newServer({address="1.1.1.1:53",useClientSubnet=true,maxCheckFailures=30,qps=10000})
setACL({'0.0.0.0/0', '::/0'})

addLocal('0.0.0.0:53')
setServerPolicy(firstAvailable)
setECSSourcePrefixV4(24)
setECSSourcePrefixV6(56)

fedora35从nmcli更改网络回network-scripts管理配置

为了兼容老旧的solusvm进行系统管理, 最近更新fedora的系统模版发现官方已经抛弃原来的配置方式了.

解决方案如下

dnf remove NetworkManager -y
dnf install network-scripts -y
systemctl enable network

然后重新写入/etc/sysconfig/network-scripts/ifcfg-eth0的配置内容.

另外nmcli的网卡配置文件目录/etc/NetworkManager/system-connections/下面有eth0.nmconnection之类的文件保存着IP配置信息.

mikrotik baud rate 115200

Serial Console - RouterOS  routeros Console baud-rate 115200

ipxe编译安装

ipxe默认ZLIB GZIP IMAGE_COMBOOT所以自己编译一下, 编译EFI版本的时候要去掉IMAGE_COMBOOT.

还有通过EMBED预置脚本编译成iso后, 在没有dhcp的机器上也可以进行ipxe引导.

 cat>/opt/tftp/boot.ipxe<<EOF
#!ipxe
isset ${ip} || dhcp || config
ifopen
show mac
route
chain --autofree http://你的pxe服务器地址/ipxe.php
EOF

cd /tmp
yum install git mkisofs gcc make  xz-devel  -y
git clone git://git.ipxe.org/ipxe.git
cd ipxe/src
cat>config/local/general.h<<EOF
#define DOWNLOAD_PROTO_HTTPS
#define IMAGE_COMBOOT
#define CONSOLE_CMD
#define VLAN_CMD
#define IMAGE_ZLIB
#define IMAGE_GZIP
EOF
make EMBED=/opt/tftp/boot.ipxe 

cat>config/local/general.h<<EOF
#define DOWNLOAD_PROTO_HTTPS
#define CONSOLE_CMD
#define VLAN_CMD
#define IMAGE_ZLIB
#define IMAGE_GZIP
EOF
make bin-x86_64-efi/{ipxe.efi,snponly.efi} EMBED=/opt/tftp/boot.ipxe 

install -p -D -m 0644  bin/{undionly.kpxe,undionly.kkpxe} /opt/tftp/
install -p -D -m 0644  bin-x86_64-efi/{ipxe.efi,snponly.efi} /opt/tftp/

还有 bin/ipxe.iso  bin/ipxe.lkrn bin/ipxe.pxe bin/ipxe.usb可以复制一下, 做ipxe网络启动只要一个ipxe.efi和snponly.efi 以及ipxe.kkpxe就够了

IPXE windows uefi http boot

最近在写自动装机管理, 等写完了才在github上发现一个项目https://github.com/OneB1t/uefihttpboot

当时要是多留个心, 也不至于后面走了很多弯路.

阅读剩余部分...

IPXE安装ESXI

最近折腾得比较头大

准备工作先建立一个web服务.

将esxi的iso下载解压并将boot.cfg配置修改好

#自定义内容
esxiurl=http://$sesrver/VMware-VMvisor-Installer-6.5.0.XXXX.x86_64.iso
isoname=VMware_esxi.iso
tmppath=tmp
isocache=esxipath
#-------------------------------------------------------------------------------------
mkdir $isocache $tmppath
wget -c $esxiurl -O $isoname
mount $isoname $tmppath
rsync -az $tmppath/ $isocache/
umount $tmppath
sed -i 's#/##g'  $isocache/boot.cfg
sed -i 's/prefix/#prefix/g'  $isocache/boot.cfg
sed -i 's/kernelopt/#kernelopt/g'  $isocache/boot.cfg

kickstart文件也可以一起丢到esxi的web目录下面

ipxe默认没有开启支持SYSLINUX COMBOOT,需要自己编译进去

yum install git mkisofs gcc make  rsync
git clone git://git.ipxe.org/ipxe.git
cd ipxe/src
cat>>config/local/general.h<<EOF
#define DOWNLOAD_PROTO_HTTPS
#define IMAGE_COMBOOT
EOF
make bin/{ipxe.iso,undionly.kkpxe,ipxe.usb} bin-x86_64-efi/ipxe.efi 
mkdir ipxe
cp bin/{ipxe.iso,undionly.kkpxe,ipxe.usb} bin-x86_64-efi/ipxe.efi ipxe

编译好的undionly.kkpxe放到tftp目录下, 然后dhcp引导加载

IPXE脚本部分:

#!ipxe
iseq ${platform} efi && goto is_efi ||
kernel {$mirror}/mboot.c32 -c  {$mirror}/boot.cfg  ks=http://{$server}/kickstart prefix={$mirror} nameserver={$dns}  BOOTIF={$mac} ip={$ip}   netmask={$netmask} gateway={$gateway} kernelopt=allowLegacyCPU=true
boot

:is_efi
kernel  {$mirror}/efi/boot/bootx64.efi -c  {$mirror}/boot.cfg  ks=http://{$server}/kickstart prefix={$mirror} nameserver={$dns}  BOOTIF={$mac} ip={$ip}   netmask={$netmask} gateway={$gateway} kernelopt=allowLegacyCPU=true
boot

{$mirror}是esxi的iso解压出来可以http访问的地址

这里特别感谢https://blog.open4j.com/2019/05/30/ipxe-build-embedded-script/ 点破了COMBOOT的问题.

Centos安装bgpq4

yum install git autoconf automake gcc libtool -y
git clone https://github.com/bgp/bgpq4
cd bgpq4
./bootstrap
./configure
make
make install

编译好后从as-set抓取IP直接生成配置

bgpq4 -Jl Baidu-list AS-55967

具体用法参考github上项目的说明文件.

nginx反向代理解决googleapis字体库问题

虽然有第三方的,但是自己nginx里面写死配置来得安稳些.

sub_filter_once off;
sub_filter_types text/css;
sub_filter "//fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "https://fonts.googleapis.com" "/assets/vendor/googleapis";

location /assets/vendor/googleapis {
  rewrite ^/assets/vendor/googleapis/(.+)$ /$1 break;
  proxy_pass https://fonts.googleapis.com;
  proxy_set_header Host "fonts.googleapis.com";
  proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
  expires 1d;
  sub_filter_once off;
  sub_filter_types text/css;
  sub_filter "https://fonts.gstatic.com" "/assets/vendor/gstatic";
}

location /assets/vendor/gstatic {
  rewrite ^/assets/vendor/gstatic/(.+)$ /$1 break;
  proxy_pass https://fonts.gstatic.com:443;
  proxy_set_header Host "fonts.gstatic.com";
  expires 1y;
}

chrony时间同步

弃用ntp换chrony做时间同步了

cat /usr/share/zoneinfo/Asia/Shanghai>/etc/localtime
yum install -y chrony
systemctl enable chronyd
systemctl start chronyd

Centos8安装部署Caddy2以及typecho/wordpress伪静态

Centos8(Caddy2)

yum -y -q install epel-release
yum -y copr enable @caddy/caddy
yum -y -q install caddy

/etc/caddy/Caddyfile的typecho配置例子

DOMAIN='blog.domian'
cat>/etc/caddy/Caddyfile<<EOF
${DOMAIN}, www.${DOMAIN}
{
   tls [email protected]${DOMAIN}
   root * /home/${DOMAIN}/
   encode gzip
   file_server
   php_fastcgi unix//dev/shm/php-fpm.sock
   handle_path / {   try_files {path} {path}/index.php?{query} index.php?{query}  }
}
EOF

“域名.后缀”  替换成自己的域名

/dev/shm/php-fpm.sock换成自己的php-fpm路径

多个域名用逗号和空格隔开, 可以绑定多个域名.

php自己安装配置, Caddyfile配置已经验证可用.

Centos7安装Caddy

用caddy自动续签ssl太爽了, 之前编译安装太费心了,现在可以直接从epel安装.

但是如果要做4层协议转发,还是没有nginx效率强大.

Centos7

yum -y -q install epel-release
yum -y -q install caddy

阅读剩余部分...