在 Kibana 的 GUI 设置页面中,有一个名为“隐藏公告”的条目,其字段名为hideAnnouncements。
此页面的 URL 路径为/app/management/kibana/settings
然后在YAML配置文件的文档中有一个条目newsfeed.enabled。
如果newsfeed.enabled设置为false,则 GUI 中的隐藏公告设置不会改变。
是否有一个kibana.yml控制设置hideAnnouncements?
[AuthorityInformationAccess]在定义和 的“CAPolicy.inf”文件中[CRLDistributionPoint],这些部分可以使用动态值吗?例如:
[CRLDistirubtionPoint]
URL="http://pki.mycompany.tld/%3%8%9.crl"
或者
[CRLDistirubtionPoint]
URL="http://pki.mycompany.tld/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl"
我做了一些搜索来寻找答案,但即使是 Microsoft 也没有关于此问题或两层 PKI 中 AIA 和 CDP 扩展的正确配置的详细信息。
谢谢!
我有一个自定义文件,其中/etc/containerd/certs.d/registry.at.my.company/hosts.toml为在我的服务器上运行的本地注册表容器设置了一些配置。当我为 Kubernetes 的 CRI 配置它时,它工作得很好,但我和我的同事发现令人沮丧的是,我们必须在手动运行时添加--hosts-dir /etc/containerd/certs.d所有命令(在 K8s 之外)。当我们使用 docker 执行此操作时,它非常简单:我们只需在 docker 守护进程的 JSON 配置文件 ( ) 上设置正确的选项,并且运行良好。但我很难找到具有类似行为的等效设置。当然,CRI插件正在使用ctr image pullctr"insecure-registry": "127.0.0.1"ctrhosts.toml文件我设置得很好,但我希望能够手动提取图像,而不必向命令添加额外的标志。有没有一种方法可以配置containerd,这样就ctr image pull不需要--hosts-dir每次都通过?
该hosts.toml文件如下所示:
server = "http://registry.at.my.company"
[host."http://registry.at.my.company"]
skip_verify = true
plain-http = true
在文件中/etc/containerd/config.toml,我有 CRI 指向它,如下所示:
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
但是,正如我在上面猜测和所说的,这似乎只影响 kubelet 与 containerd 的交互方式,而不是如何ctr交互。
一些背景上下文:
我们运行这个本地注册表,其中包含/etc/hosts如下条目:127.0.1.1 registry.at.my.company。加上一些防火墙规则,这使得使用我们 Kubernetes 集群的每个人都必须将其镜像推送到registry.at.my.company并配置其 pod 以使用来自那里的镜像,因为我们的 kubelet 将无法从该域以外的任何地方拉取;为了使我们的注册表不是 SPoF,我们将这些本地注册表容器作为只读镜像运行(并且注册表容器的服务器本身只接受本地连接,从而避免了缺少 SSL 证书的问题。)我不确定这是否与我的问题相关,但它应该有助于解释为什么我在谈论insecure-registrydocker 中的旧选项以及为什么我hosts.toml使用http而不是https,以免引起任何人的担忧。
另外,这是我正在使用的containerd 版本1.6.19。
我在Ubuntu 22.04上安装了aide并保留默认配置。运行后,我收到了一封电子邮件报告,表明一切顺利。请参阅下面的报告。
和/var/lib/aide/aide.db.new为零/var/lib/aide/aide.db字节。设备上有足够的可用空间,我在日志文件中找不到任何异常情况。
有什么想法如何寻找该问题的原因吗?
AIDE returned with exit code 1. Added entries detected!
AIDE produced no errors.
******************************************************************************
* AIDE has returned long output which has been truncated in this mail *
******************************************************************************
Output is 2792556 lines, truncated to 1000.
Start timestamp: 2023-08-20 06:25:01 +0200 (AIDE 0.17.4)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new
Ignored e2fs attributes: EIh
Summary:
Total number of entries: 2792523
Added entries: 2792500
Removed entries: 0
Changed entries: 0
我正在尝试为我正在构建的应用程序设置反向代理。该应用程序被拆分为两个 docker 镜像。首先是一个网络用户界面,可以通过https://example.com/访问
第二个 docker 图像具有我感兴趣的基址。第一个是https://example.com/swagger,第二个是https://example.com/api
当我导航到 example.com 时,一切都按预期工作。我得到了应用程序前端。当我导航到 swagger 链接时,再次一切正常,我得到了 swagger 页面。实际地址是https://example.com/swagger/index.html
但是,第三部分是https://example.com/api是我想要访问的 Rest API,当我尝试调用它时。或者更具体地说,对https://example.com/api/Authentication/login的 POST 请求
我从服务器收到 307 响应,将调用重定向到http://actualserver.local:7066/api/Authentication/login
我不明白为什么要这样做,因为它应该像 swagger 链接那样获取信息。
这是我用来运行反向代理的 nginx.conf 文件
worker_processes 1;
events { worker_connections 1024; }
http {
client_max_body_size 0;
sendfile on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
server {
listen 80 default_server;
server_name example.com;
# location /.well-known/acme-challenge/ {
# root /var/www/certbot;
# }
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com;
location /api {
proxy_pass http://actualserver.local:7066/api;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /swagger {
proxy_pass http://actualserver.local:7066/swagger;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location / {
proxy_pass http://actualserver.local:3000;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
}
我正在寻找的是让反向代理调用 actualserver.local,而不是返回 307。我在这里有点力不从心,所以任何帮助将不胜感激。
更新:我尝试修改 nginx 配置以查看这是否有任何效果。这是我更新的文件。
worker_processes 1;
事件 { worker_connections 1024; }
http { client_max_body_size 0; 发送文件;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
upstream web-ui {
server actualserver.local:3000;
}
upstream web-api {
server actualserver.local:7066;
}
server {
listen 80 default_server;
server_name example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com;
location /api {
proxy_pass http://web-api/api;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /swagger {
proxy_pass http://web-api/swagger;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location / {
proxy_pass http://web-ui;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
}
307 中报告的位置是
https://web-api:7066/api/Authentication/login
web-api 在整个代码库中唯一存在的地方是在 nginx.conf 中,这不能来自应用程序服务器。必须是 nginx 正在执行此操作。
我在 Debian linux 下opendmarc运行。postfix我做了标准的基于 Debian apt 的安装opendmarc,但后来,我意识到它显然默认配置为使用opendmarc-import以将导入数据保存在数据库中。
我不想使用数据库,但我找不到任何方法告诉我opendmarc停止将信息记录到该数据库中。
我没有看到任何东西/etc/opendmarc.conf似乎可以控制是否opendmarc-import配置为使用。
有人可以告诉我如何告诉我opendmarc停止使用的说明opendmarc-import吗?我在搜索过的任何地方都找不到任何文档。
非常感谢你提前。
PS:我想我可以手动将 an 放在perl 脚本exit(0);的顶部附近/usr/sbin/opendmarc-import(或对该脚本进行一些其他适当的更改),但我不想依赖这样的 hack。
我想将使用(传统)端口 5555 的 Windows Data Protector 客户端导入运行 11.02 的 Cell Server。当我尝试时,系统会向我提供接受证书,但出现[12:1625] Import host failed.错误。
我怀疑这是因为最近的安装默认使用 5565 端口。
所以我的问题是:有没有办法指定导入客户端时要使用的端口?(我试图将端口作为“:portnr”添加到主机名,但不被接受。)
我已经kubelet 1.26.0使用命令在 Ubuntu 22.04 上安装apt install kubelet,但是当我尝试时,journalctl -xeu kubelet我得到以下结果:
░░
░░ The unit kubelet.service has entered the 'failed' state with result 'exit-code'.
Dec 14 15:41:16 a systemd[1]: kubelet.service: Scheduled restart job, restart counter is at 86.
░░ Subject: Automatic restarting of a unit has been scheduled
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ Automatic restarting of the unit kubelet.service has been scheduled, as the result for
░░ the configured Restart= setting for the unit.
Dec 14 15:41:16 a systemd[1]: Stopped kubelet: The Kubernetes Node Agent.
░░ Subject: A stop job for unit kubelet.service has finished
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A stop job for unit kubelet.service has finished.
░░
░░ The job identifier is 26301 and the job result is done.
Dec 14 15:41:16 a systemd[1]: Started kubelet: The Kubernetes Node Agent.
░░ Subject: A start job for unit kubelet.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit kubelet.service has finished successfully.
░░
░░ The job identifier is 26301.
Dec 14 15:41:16 a kubelet[18015]: Flag --pod-infra-container-image has been deprecated, will be removed in 1.27. Image garbage collector will get sandbox image information from CRI.
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.367525 18015 server.go:198] "--pod-infra-container-image will not be pruned by the image garbage collector in kubelet and should also be set in the rem>
Dec 14 15:41:16 a kubelet[18015]: Flag --pod-infra-container-image has been deprecated, will be removed in 1.27. Image garbage collector will get sandbox image information from CRI.
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.371255 18015 server.go:412] "Kubelet version" kubeletVersion="v1.26.0"
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.371272 18015 server.go:414] "Golang settings" GOGC="" GOMAXPROCS="" GOTRACEBACK=""
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.371499 18015 server.go:836] "Client rotation is on, will bootstrap in background"
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.372757 18015 certificate_store.go:130] Loading cert/key pair from "/var/lib/kubelet/pki/kubelet-client-current.pem".
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.373608 18015 dynamic_cafile_content.go:157] "Starting controller" name="client-ca-bundle::/etc/kubernetes/pki/ca.crt"
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.399357 18015 server.go:659] "--cgroups-per-qos enabled, but --cgroup-root was not specified. defaulting to /"
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.399717 18015 container_manager_linux.go:267] "Container manager verified user specified cgroup-root exists" cgroupRoot=[]
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.399832 18015 container_manager_linux.go:272] "Creating Container Manager object based on Node Config" nodeConfig={RuntimeCgroupsName: SystemCgroupsName>
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.399866 18015 topology_manager.go:134] "Creating topology manager with policy per scope" topologyPolicyName="none" topologyScopeName="container"
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.399883 18015 container_manager_linux.go:308] "Creating device plugin manager"
Dec 14 15:41:16 a kubelet[18015]: I1214 15:41:16.399940 18015 state_mem.go:36] "Initialized new in-memory state store"
Dec 14 15:41:16 a kubelet[18015]: E1214 15:41:16.402173 18015 run.go:74] "command failed" err="failed to run Kubelet: validate service connection: CRI v1 runtime API is not implemented for endpoint \">
Dec 14 15:41:16 a systemd[1]: kubelet.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit kubelet.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Dec 14 15:41:16 a systemd[1]: kubelet.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit kubelet.service has entered the 'failed' state with result 'exit-code'.
lines 2547-2600/2600 (END)
我不知道是什么问题,我怎样才能解决它?
我正在https://modernamedia.no/上做一个项目, 我正在尝试做很多事情
- 将所有呼叫www.modernamedia.no重定向到https://modernamedia.no/
- proxypass localhost:5000 到 api.modernamedia.no
- 将所有 http 调用重定向到 https。
最后一个正在工作。但是,前两个不起作用。您可以访问https://www.modernamedia.no/ 自行测试
我也在努力通过 API 调用到达我的本地主机,但这可能是与代码相关的问题。
conf.d
server {
if ($host = www.modernamedia.no) {
return 301 https://modernamedia.no$request_uri;
} # managed by Certbot
if ($host = modernamedia.no) {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect to the correct place, if needed
set $https_redirect 0;
if ($server_port = 80) { set $https_redirect 1; }
if ($host ~ '^www\.') { set $https_redirect 1; }
if ($https_redirect = 1) {
return 301 https://modernamedia.no$request_uri;
}
listen 80;
server_name modernamedia.no;
return 404; # managed by Certbot
}
server {
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2; # managed by Certbot
server_name modernamedia.no;
location / {
proxy_pass http://localhost:4000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
ssl_certificate /etc/letsencrypt/live/modernamedia.no/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/modernamedia.no/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 80;
server_name www.modernamedia.no;
return 301 https://modernamedia.no$request_uri;
}
server {
listen 81;
server_name api.modernamedia.no;
root /var/www/ModernaMedia/DotNet;
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
网站可用/默认
server {
listen 81;
server_name api.modernamedia.no;
root /var/www/ModernaMedia/DotNet;
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
现代媒体服务
[Unit]
Description=ModernaMedia Net5 service
[Service]
WorkingDirectory=/var/www/ModernaMedia/DotNet
ExecStart=/usr/bin/dotnet /var/www/ModernaMedia/DotNet/ModernaMediaDotNet.dll
Restart=always
# Restart service after 10 seconds if the dotnet service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=ModernaMedia-dotnet
User=www-data
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
[Install]
WantedBy=multi-user.target
我可以通过 curl 访问我的 .NET 服务器