第十八周
环境:
192.168.43.127 centos7 mysql
192.168.43.106 centos6 vsfstp pam_mysql
1、127安装数据mariadb-server
[ ~]#yum –y install mariadb-server
[ ~]# systemctl start mariadb.service
[ ~]#systemctl enable mariadb
2、126安装vsftp和pam_mysql
yum install vsftpd pam_mysql
service start vsftpd
chkconfig vsftpd on
3、在数据库服务器上创建虚拟用户账号
[ ~]# mysql -uroot -p123456
MariaDB [(none)]> CREATE DATABASE vsftpd;Query OK, 1 row affected (0.001 sec) MariaDB [(none)]> SHOW DATABASES; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | vsftpd | +--------------------+MariaDB [(none)]>** GRANT SELECT ON vsftpd.* TO ‘192.168.43.%‘ IDENTIFIED BY ‘123456‘;** Query OK, 0 rows affected (0.233 sec)MariaDB [(none)]>** flush privileges;** Query OK, 0 rows affected (0.133 sec)MariaDB [(none)]> USE vsftpd;
Database changedMariaDB [vsftpd]> CREATE TABLE users ( id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, name CHAR(50) BINARY NOT NULL, password CHAR(48) BINARY NOT NULL );
Query OK, 0 rows affected (0.234 sec)测试连接:
[ ~]#mysql -uvsftpd -h192.168.43.205 -p123456 Welcome to the MySQL monitor. Commands end with ; or \g.插入用户:
MariaDB [vsftpd]> **INSERT INTO users(name,password) values(‘wang‘,password(‘123456‘));** Query OK, 1 row affected (0.038 sec) MariaDB [vsftpd]> **INSERT INTO users(name,password) values(‘li‘,password(‘123456‘)); ** Query OK, 1 row affected (0.001 sec)MariaDB [vsftpd]> SELECT * FROM users; +----+------+-------------------------------------------+ | id | name | password | +----+------+-------------------------------------------+ | 1 | wang | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | | 2 | li | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | +----+------+-------------------------------------------+ 2 rows in set (0.000 sec)
4、在FTP服务器上建立pam认证所需文件
[ ~]#vim /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=123456 host=192.168.43.205 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2 account required pam_mysql.so user=vsftpd passwd=123456 host=192.168.43.205 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
5、FTP服务器上创建映射用户:
[ ~]#useradd -s /sbin/nologin -d /var/ftproot vuser
[ ~]#chmod 555 /var/ftproot
[ ~]#mkdir /var/ftproot/{upload,pub}[ ~]#tree -d /var/ftproot/
/var/ftproot/
├── pub
└── upload
6、配置ftp服务:
修改下列几项配置,使wang用户具有上传下载的权限,li用户使用单独的根文件夹,可以上传下载
[ ~]#**vim /etc/vsftpd/vsftpd.conf ** anonymous_enable=YES pam_service_name=vsftpd.mysql userlist_enable=YES tcp_wrappers=YES guest_enable=YES guest_username=vuser user_config_dir=/etc/vsftpd/vusers_config [ ~]#tree /etc/vsftpd/vusers_config/ /etc/vsftpd/vusers_config/ ├── li └── wangwang用户配置文件 [ vusers_config]#cat wang anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES li用户配置文件 [ vusers_config]#cat li local_root=/ftproot_li anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES 创建li用户根目录 [ ~]#setfacl -m u:vuser:rwx /var/ftproot/upload [ ~]#mkdir /ftproot_li [ ~]#chmod 555 /ftproot_li [ ~]#setfacl -m u:vuser:rwx li
7、重启vsftpd
[ ~]#service vsftpd restart Shutting down vsftpd: [FAILED] Starting vsftpd for vsftpd: [ OK ] [ ~]#chkconfig vsftpd on
8、验证:
li用户登录,根目录/ftproot_li
[ ~]# ftp 192.168.43.106 Name (192.168.43.106:root): li 331 Please specify the password. 230 Login successful. ftp> cd li 250 Directory successfully changed. ftp> put anaconda-ks.cfg local: anaconda-ks.cfg remote: anaconda-ks.cfg 227 Entering Passive Mode (192,168,43,106,46,74). 150 Ok to send data. 226 Transfer complete. 980 bytes sent in 6.7e-05 secs (14626.86 Kbytes/sec) ftp> get a local: a remote: a 227 Entering Passive Mode (192,168,43,106,197,240). 150 Opening BINARY mode data connection for a (2 bytes). 226 Transfer complete. 2 bytes received in 2.1e-05 secs (95.24 Kbytes/sec) ftp> !ls 2345 a anaconda-ks.cfg b c
wang用户登录,根目录/var/ftproot/
[ ~]# ftp 192.168.43.106 ftp> ls 227 Entering Passive Mode (192,168,43,106,64,16). 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Apr 26 01:19 pub drwxrwxr-x 2 0 0 4096 Apr 26 02:24 upload 226 Directory send OK. ftp> cd upload ftp> ls -rw------- 1 501 501 980 Apr 26 02:24 anaconda-ks.cfg 226 Directory send OK. ftp> put a local: a remote: a 227 Entering Passive Mode (192,168,43,106,205,1). 150 Ok to send data. 226 Transfer complete. 2 bytes sent in 0.000109 secs (18.35 Kbytes/sec) ftp> ls 227 Entering Passive Mode (192,168,43,106,165,68). 150 Here comes the directory listing. -rw------- 1 501 501 2 Apr 26 02:58 a -rw------- 1 501 501 980 Apr 26 02:24 anaconda-ks.cfg 226 Directory send OK.
2、通过NFS实现服务器/www共享访问。
环境:
nfs服务器192.168.43.197
客户端:192.168.43.205
1、nfs服务器配置
[]#yum -y install nfs-utils []#systemctl start nfs []#systemctl enable nfs []#mkdir /www []#touch 197.txt []#vim /etc/exports /www 192.168.43.0/24(rw,no_root_squash) 43.0网络的主机都可以访问/www共享,且具有rw权限,并不对root用户进行压榨 []#exportfs -rv exporting 192.168.43.0/24:/www
2、客户端205:
查看服务器共享信息
[]# showmount -e 192.168.43.197
Export list for 192.168.43.197:
/www 192.168.43.0/24
手动挂载:[ ~]# mkdir /www [ ~]# touch 205.txt [ ~]# mount -o hard,intr,nosuid,nodev,noexec 192.168.43.197:/www /www [ ~]# df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 979M 0 979M 0% /dev tmpfs 991M 0 991M 0% /dev/shm tmpfs 991M 9.6M 981M 1% /run tmpfs 991M 0 991M 0% /sys/fs/cgroup /dev/mapper/centos-root 100G 3.0G 97G 3% / /dev/sda1 497M 139M 358M 28% /boot tmpfs 199M 0 199M 0% /run/user/0 192.168.43.197:/www 100G 7.1G 93G 8% /www[ ~] ll mkdir /www
-rw-r--r-- 1 root root 0 May 2 18:13 197.txt
完成
3、配置samba共享,实现/www目录共享
环境:
samba服务器192.168.43.197
客户端:192.168.43.205
1、samba服务器配置:
[ ~]#yum install samba [ ~]#systemctl start smb [ ~]#systemctl enable smb [ ~]#groupadd -r admins [ ~]#useradd -s /sbin/nologin -G admins wangyan添加samba用户
[ ~]#pdbedit -a wangyan new password: retype new password: [ ~]#useradd -s /sbin/nologin -G admins lucy [ ~]#smbpasswd -a lucy New SMB password: Retype new SMB password: Added user lucy. [ ~]#pdbedit -L wangyan:1001: lucy:1002:创建共享文件夹:
[ ~]#mkdir /wangyanshare [ ~]#touch wangyanshare.txt编辑samba配置文件,添加配置:
[ ~]#vim /etc/samba/smb.conf [wangyanshare] comment = wangyan‘s share path = /wangyanshare valid users = wangyan,@admins write list = wangyan writeable = no browseable = yes
2、客户端:
[ ~]yum -y install cifs-utils samba-client [ ~]# smbclient -L 192.168.43.197 -Uwangyan
Enter SAMBA\wangyan‘s password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers wangyanshare Disk wangyan‘s share IPC$ IPC IPC Service (Samba 4.9.1) wangyan Disk Home Directories
手动挂载:
[ ~]# mount -o username=wangyan,password=123456 //192.168.43.197/wangyanshare /mnt/wangyan [ ~]# df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 979M 0 979M 0% /dev tmpfs 991M 0 991M 0% /dev/shm tmpfs 991M 9.6M 981M 1% /run tmpfs 991M 0 991M 0% /sys/fs/cgroup /dev/mapper/centos-root 100G 3.0G 97G 3% / /dev/sda1 497M 139M 358M 28% /boot tmpfs 199M 0 199M 0% /run/user/0 //192.168.43.197/wangyanshare 100G 7.1G 93G 8% /mnt/wangyan
4、使用rsync+inotify实现/www目录实时同步
环境:
rsync客户端:192.168.43.197
rsync服务器:192.168.43.187
1、rsync客户端安装配置inotify:[ ~]#yum -y install inotify-tools
2、配置rsync服务器:
安装rsync
[ ~]#yum -y install rsync [ ~]#systemctl start rsyncd [ ~]#systemctl enable rsyncd准备账号密码文件
[ ~]#echo "rsyncuser:123456" > /etc/rsync.pass [ ~]#chmod 600 /etc/rsync.pass准备同步数据目录
[ ~]#mkdir /backup改rsync配置文件
[ ~]#vim /etc/rsyncd.conf uid = root gid = root use chroot = no max connections = 0 ignore errors exclude = lost+found/ l og file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid lock file = /var/run/rsyncd.lock reverse lookup = no hosts allow = 192.168.43.0/24 [backup] path = /backup comment = data backup read only = no auth users = rsyncuser secrets file = /etc/rsync.pass[ ~]#systemctl restart rsyncd
3、rsync客户端:
[ ~]#echo "123456" > /inotify/rsync.pass [ ~]#chmod 600 /inotify/rsync.pass [ ~]#cat /inotify/rsync.pass 123456 [ ~]#vim /inotify/inotify_rsync.sh #!/bin/bash SRC=‘/data/test‘ DEST=‘::backup‘ inotifywait -mrq ${SRC} --timefmt "%F %H:%M" --format "%T %w%f event:%;e" -e create,delete,moved_to,close_write,attrib| while read DATE TIME DIR FILE;do FILEPATH=${DIR}${FILE} rsync -az --delete --password-file=/inotify/rsync.pass $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /inotify/changelist.log done
4、测试
5、使用iptable实现:?放行telnet,?ftp,?web服务,放行samba服务,其他端口服务全部拒绝
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 80,443,21,22,23,139,445 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp -m multiport --dports 137,138 -m state --state NEW -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP
架构班作业看这里:
1、安装配置promethues和alertmanager,实现对k8s的监控,并将监控数据展示到grafana