问题[opensuse](server)

我正在尝试gitea使用 podman 进行设置。我想拥有

• 映射到主机目录的数据卷，因为它允许我轻松检查和备份数据
• 特定宿主用户执行的容器进程

Podman 由 root 用户执行，主要是因为我在使用podman generate systemd --new无根容器时遇到的问题（请参阅systemd User= directive not supported, why?和support User= in systemd for running rootless services）。

为了实现与 rootfull 容器的映射，开始将所有正在使用的容器uids 和gids 映射到主机的gitea user. 我最终得到了类似的东西

podman run --rm \
    --uidmap=0:$(id -u gitea):1 \
    --gidmap=0:$(id -g gitea):1 \
    --uidmap=1000:$(id -u gitea):1 \
    --gidmap=1000:$(id -g gitea):1 \
    --gidmap=42:$(id -g gitea):1 \
    --volume /srv/gitea/data:/var/lib/gitea \
    docker.io/gitea/gitea:1.18.0-rc1-rootless

我得到的输出是

WARN[0000] Path "/etc/SUSEConnect" from "/etc/containers/mounts.conf" doesn't exist, skipping 
WARN[0000] Path "/etc/zypp/credentials.d/SCCcredentials" from "/etc/containers/mounts.conf" doesn't exist, skipping 
Error: OCI runtime error: runc create failed: unable to start container process: can't get final child's PID from pipe: EOF

尽管有路径警告，我还是成功运行了其他 podman 容器，所以我认为可以忽略它们。

我podman version 3.4.7在 openSUSE Leap 15.3 上运行。

我如何运行这个容器，同时将所有正在使用uid的 s 和gids 映射到特定的主机用户/组？

我正在寻找一种可靠的方法来查找我的 OpenSUSE Leap 15.3 系统上安装了多少个软件包。我试过了：

# number of available packages in the repos
vm-admin:~ # zypper se -s | wc -l
55800

# number of installed packages from the repos
vm-admin:~ # zypper se -si | wc -l
1490

# number of installed packages?
vm-admin:~ # rpm -qa | wc -l
1091

# number of available packages?
vm-admin:~ # pkcon get-packages | grep Available | wc -l
51058

# number of installed packages?
vm-admin:~ # pkcon get-packages | grep Installed | wc -l
1086

这些命令命令之间有什么区别？

我很难从运行浮士德脚本的客户端连接到运行 Kafka 的机器。脚本如下所示：

import faust
import logging
from asyncio import sleep


class Test(faust.Record):
    msg: str


app = faust.App('myapp', broker='kafka://10.0.0.20:9092')
topic = app.topic('test', value_type=Test)


@app.agent(topic)
async def hello(messages):
    async for message in messages:
        print(f'Received {message.msg}')


@app.timer(interval=5.0)
async def example_sender():
    await hello.send(
        value=Test(msg='Hello World!'),
    )


if __name__ == '__main__':
    app.main()

当我运行脚本时：

# faust -A myapp worker -l info
┌ƒaµS† v0.8.1─┬─────────────────────────────────────────────────┐
│ id          │ myapp                                           │
│ transport   │ [URL('kafka://10.0.0.20:9092')]                 │
│ store       │ memory:                                         │
│ web         │ http://hubbabubba:6066                   │
│ log         │ -stderr- (info)                                 │
│ pid         │ 260765                                          │
│ hostname    │ hubbabubba                               │
│ platform    │ CPython 3.8.10 (Linux x86_64)                   │
│ drivers     │                                                 │
│   transport │ aiokafka=0.7.2                                  │
│   web       │ aiohttp=3.8.1                                   │
│ datadir     │ /Git/faust-kafka/myapp-data    │
│ appdir      │ /Git/faust-kafka/myapp-data/v1 │
└─────────────┴─────────────────────────────────────────────────┘
[2022-01-28 13:09:57,018] [260765] [INFO] [^Worker]: Starting... 
[2022-01-28 13:09:57,021] [260765] [INFO] [^-App]: Starting... 
[2022-01-28 13:09:57,021] [260765] [INFO] [^--Monitor]: Starting... 
[2022-01-28 13:09:57,021] [260765] [INFO] [^--Producer]: Starting... 
[2022-01-28 13:09:57,022] [260765] [INFO] [^---ProducerBuffer]: Starting... 
[2022-01-28 13:09:57,024] [260765] [ERROR] Unable connect to "10.0.0.20:9092": [Errno 113] Connect call failed ('10.0.0.20', 9092) 
[2022-01-28 13:09:57,025] [260765] [ERROR] [^Worker]: Error: KafkaConnectionError("Unable to bootstrap from [('10.0.0.20', 9092, <AddressFamily.AF_INET: 2>)]") 
Traceback (most recent call last):
  File "/Git/faust-kafka/venv/lib/python3.8/site-packages/mode/worker.py", line 276, in execute_from_commandline
    self.loop.run_until_complete(self._starting_fut)
  File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
    return future.result()
  File "/Git/faust-kafka/venv/lib/python3.8/site-packages/mode/services.py", line 759, in start
    await self._default_start()
  File "/media/eric/DISK3/Git/faust-kafka/venv/lib/python3.8/site-packages/mode/services.py", line 766, in _default_start
    await self._actually_start()...
  File "/Git/faust-kafka/venv/lib/python3.8/site-packages/aiokafka/client.py", line 249, in bootstrap
    raise KafkaConnectionError(
kafka.errors.KafkaConnectionError: KafkaConnectionError: Unable to bootstrap from [('10.0.0.20', 9092, <AddressFamily.AF_INET: 2>)]
[2022-01-28 13:09:57,027] [260765] [INFO] [^Worker]: Stopping... 
[2022-01-28 13:09:57,027] [260765] [INFO] [^-App]: Stopping... 
[2022-01-28 13:09:57,027] [260765] [INFO] [^-App]: Flush producer buffer... 
[2022-01-28 13:09:57,028] [260765] [INFO] [^--TableManager]: Stopping... 
[2022-01-28 13:09:57,028] [260765] [INFO] [^---Fetcher]: Stopping... 
[2022-01-28 13:09:57,028] [260765] [INFO] [^---Conductor]: Stopping... 
[2022-01-28 13:09:57,028] [260765] [INFO] [^--AgentManager]: Stopping... 
[2022-01-28 13:09:57,029] [260765] [INFO] [^Agent: myapp.hello]: Stopping... 
[2022-01-28 13:09:57,029] [260765] [INFO] [^--ReplyConsumer]: Stopping... 
[2022-01-28 13:09:57,029] [260765] [INFO] [^--LeaderAssignor]: Stopping... 
[2022-01-28 13:09:57,029] [260765] [INFO] [^--Consumer]: Stopping... 
[2022-01-28 13:09:57,030] [260765] [INFO] [^--Web]: Stopping... 
[2022-01-28 13:09:57,030] [260765] [INFO] [^--CacheBackend]: Stopping... 
[2022-01-28 13:09:57,030] [260765] [INFO] [^--Producer]: Stopping... 
[2022-01-28 13:09:57,030] [260765] [INFO] [^---ProducerBuffer]: Stopping... 
[2022-01-28 13:09:57,031] [260765] [INFO] [^--Monitor]: Stopping... 
[2022-01-28 13:09:57,032] [260765] [INFO] [^Worker]: Gathering service tasks... 
[2022-01-28 13:09:57,032] [260765] [INFO] [^Worker]: Gathering all futures... 
[2022-01-28 13:09:58,033] [260765] [INFO] [^Worker]: Closing event loop

Kafka (v.2.8.1) 在 10.0.0.20 端口 9092 上运行。Kafka 配置如下所示：

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# see kafka.server.KafkaConfig for additional details and defaults

############################# Server Basics #############################

# The id of the broker. This must be set to a unique integer for each broker.
broker.id=0

############################# Socket Server Settings #############################

# The address the socket server listens on. It will get the value returned from 
# java.net.InetAddress.getCanonicalHostName() if not configured.
#   FORMAT:
#     listeners = listener_name://host_name:port
#   EXAMPLE:
#     listeners = PLAINTEXT://your.host.name:9092
listeners=PLAINTEXT://:9092

# Hostname and port the broker will advertise to producers and consumers. If not set, 
# it uses the value for "listeners" if configured.  Otherwise, it will use the value
# returned from java.net.InetAddress.getCanonicalHostName().
advertised.listeners=PLAINTEXT://localhost:9092

# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL

# The number of threads that the server uses for receiving requests from the network and sending responses to the network
num.network.threads=3

# The number of threads that the server uses for processing requests, which may include disk I/O
num.io.threads=8

# The send buffer (SO_SNDBUF) used by the socket server
socket.send.buffer.bytes=102400

# The receive buffer (SO_RCVBUF) used by the socket server
socket.receive.buffer.bytes=102400

# The maximum size of a request that the socket server will accept (protection against OOM)
socket.request.max.bytes=104857600


############################# Log Basics #############################

# A comma separated list of directories under which to store log files
log.dirs=/tmp/kafka-logs

# The default number of log partitions per topic. More partitions allow greater
# parallelism for consumption, but this will also result in more files across
# the brokers.
num.partitions=1

# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
# This value is recommended to be increased for installations with data dirs located in RAID array.
num.recovery.threads.per.data.dir=1

############################# Internal Topic Settings  #############################
# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state"
# For anything other than development testing, a value greater than 1 is recommended to ensure availability such as 3.
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1

############################# Log Flush Policy #############################

# Messages are immediately written to the filesystem but by default we only fsync() to sync
# the OS cache lazily. The following configurations control the flush of data to disk.
# There are a few important trade-offs here:
#    1. Durability: Unflushed data may be lost if you are not using replication.
#    2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
#    3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks.
# The settings below allow one to configure the flush policy to flush data after a period of time or
# every N messages (or both). This can be done globally and overridden on a per-topic basis.

# The number of messages to accept before forcing a flush of data to disk
#log.flush.interval.messages=10000

# The maximum amount of time a message can sit in a log before we force a flush
#log.flush.interval.ms=1000

############################# Log Retention Policy #############################

# The following configurations control the disposal of log segments. The policy can
# be set to delete segments after a period of time, or after a given size has accumulated.
# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
# from the end of the log.

# The minimum age of a log file to be eligible for deletion due to age
log.retention.hours=168

# A size-based retention policy for logs. Segments are pruned from the log unless the remaining
# segments drop below log.retention.bytes. Functions independently of log.retention.hours.
#log.retention.bytes=1073741824

# The maximum size of a log segment file. When this size is reached a new log segment will be created.
log.segment.bytes=1073741824

# The interval at which log segments are checked to see if they can be deleted according
# to the retention policies
log.retention.check.interval.ms=300000

############################# Zookeeper #############################

# Zookeeper connection string (see zookeeper docs for details).
# This is a comma separated host:port pairs, each corresponding to a zk
# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002".
# You can also append an optional chroot string to the urls to specify the
# root directory for all kafka znodes.
zookeeper.connect=localhost:2181

# Timeout in ms for connecting to zookeeper
zookeeper.connection.timeout.ms=18000


############################# Group Coordinator Settings #############################

# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance.
# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms.
# The default value for this is 3 seconds.
# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing.
# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup.
group.initial.rebalance.delay.ms=0

卡夫卡经纪人一开始就很顺利：

$ sudo bin/kafka-server-start.sh -daemon config/server.properties 

我得到了这个话题：

$ bin/kafka-topics.sh --bootstrap-server localhost:9092 --create --replication-factor 1 --partitions 1 --topic test

然后我检查：

$ bin/kafka-topics.sh --bootstrap-server localhost:9092 --list
test

所以我想知道我在哪里搞砸了。顺便说一句：可以从客户端机器访问服务器：

$ ping -c 5 10.0.0.20 -p 9092
PATTERN: 0x9092
PING 10.0.0.20 (10.0.0.20) 56(84) bytes of data.
64 bytes from 10.0.0.20: icmp_seq=1 ttl=64 time=0.468 ms
64 bytes from 10.0.0.20: icmp_seq=2 ttl=64 time=0.790 ms
64 bytes from 10.0.0.20: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 10.0.0.20: icmp_seq=4 ttl=64 time=0.453 ms
64 bytes from 10.0.0.20: icmp_seq=5 ttl=64 time=0.827 ms

--- 10.0.0.20 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4095ms
rtt min/avg/max/mdev = 0.453/0.691/0.918/0.192 ms

我有一台机器（运行 openSUSE Leap 15.3），它有多个公共 IP 地址，用作一些额外主机的网关。我需要让网关上的一个公共 IP 就像它属于连接到它的一台机器一样（流量被透明地转发）。

我iptables-save目前的输出如下（包括一些不相关的 Docker 规则，但敏感部分已编辑）：

# Generated by iptables-save v1.8.7
*filter
:INPUT ACCEPT [9747976:4527721149]
:FORWARD ACCEPT [12638879:4423560060]
:OUTPUT ACCEPT [8913992:2531503118]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed
# Generated by iptables-save v1.8.7
*nat
:PREROUTING ACCEPT [480085:188100350]
:INPUT ACCEPT [62951:4107383]
:OUTPUT ACCEPT [150:9857]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -d <REDACTED_FORWARDING_IP>/32 -i eth0 -j DNAT --to-destination 10.125.0.2
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed

据我所知，唯一相关的部分是：

-A PREROUTING -d <REDACTED_FORWARDING_IP>/32 -i eth0 -j DNAT --to-destination 10.125.0.2
-A POSTROUTING -j MASQUERADE

这仍然存在许多问题：

• 当内部机器启动出站连接时，它的 IP 被 NAT 为网关的主地址，而不是我试图给它的地址。
• 接收连接时，它们似乎来自网关的本地 IP，而不是原始 IP（应该有解决方法，因为这是默认网关）。
• 如果服务0.0.0.0在网关上侦听，则该端口上的连接不会被重定向，它们会转到该服务。

我试图将其他一些问题的答案拼接在一起，例如：

• https://superuser.com/q/1130250
• https://superuser.com/q/1513820
• iptables 将所有流量转发到指定端口，到另一台设备
• 使用 iptables 将来自辅助公共 IP 的所有传入流量重定向到内部 IP 地址
• 使用 iptables 将来自辅助公共 IP 的所有传入流量重定向到内部 IP 地址
• https://superuser.com/q/681705
• https://unix.stackexchange.com/q/395008/381510

但是由于我缺乏重要的 iptables 经验，我无法解决我的问题，或者解决了一些只是为了让其他人弹出。

任何人都可以提出一些规则来达到这种效果吗？或者也许有一种方法可以在没有 iptables 的情况下做到这一点？

将zypper patchopenSUSE Leap 15.2 上的 NFS 服务器安装到最新版本并重新启动后，kubernetes 集群（Openshift 4.5）中的节点无法再挂载 NFS 卷。

NFS 服务器版本：nfs-kernel-server-2.1.1-lp152.9.12.1.x86_64

/etc/exports 包含：

/nfs 192.168.11.*(rw,sync,no_wdelay,root_squash,insecure,no_subtree_check,fsid=0)

受影响的 pod 处于 ContainerCreating 状态

kubectl describe pod/<pod_name>给出以下错误：

Warning  FailedMount  31m   kubelet            MountVolume.SetUp failed for volume "volume" : mount failed: exit status 32
Mounting command: systemd-run
Mounting arguments: --description=Kubernetes transient mount for /var/lib/kubelet/pods/c86dee2e-f533-43c9-9a1d-c4f00a1b8eef/volumes/kubernetes.io~nfs/smart-services-http-video-stream --scope -- mount -t nfs nfs.example.invalid:/nfs/volume /var/lib/kubelet/pods/c86dee2e-f533-43c9-9a1d-c4f00a1b8eef/volumes/kubernetes.io~nfs/pv-name
Output: Running scope as unit: run-r83d4e7dba1b645aca1e4693a48f45191.scope
mount.nfs: Operation not permitted

服务器仅运行 NFSv4，因此 rpcbind 已关闭且 showmount 命令不起作用。

直接挂载在 Kubernetes 节点上会导致以下错误：

sudo mount.nfs4 nfs.example.invalid:/core tmp/ -v; echo $?
mount.nfs4: timeout set for Wed Jul 21 12:16:49 2021
mount.nfs4: trying text-based options 'vers=4.2,addr=192.168.11.2,clientaddr=192.168.11.3'
mount.nfs4: mount(2): Operation not permitted
mount.nfs4: Operation not permitted
32

NFS 服务器上的 firewalld 规则：

  services: ssh dhcpv6-client nfs mountd rpc-bind samba http tftp
  ports: 2049/tcp 2049/udp

AppArmor 正在工作，关闭它并没有改变结果。

在更新 NFS 服务器之前，一切正常，没有进行其他配置更改。我怎样才能进一步调试它并使共享再次可挂载？

在使用 Docker 版本 20.10.6-ce，构建 8728dd246c3a 的 openSUSE Tumbleweed 上按照此处的说明操作很好

https://github.com/mirumee/saleor-platform#how-to-run-it

但是在带有 Docker 版本 19.03.15 的 openSUSE Leap 15.3 上，构建 99e3ed89195cmigrate命令（最后一个命令）会引发错误：

$ git clone https://github.com/mirumee/saleor-platform.git --recursive --jobs 3
$ cd saleor-platform
$ docker-compose build
$ docker-compose run --rm api python3 manage.py migrate

错误

psycopg2.OperationalError：无法连接到服务器：没有到主机的路由服务器是否在主机“db”（172.21.0.4）上运行并接受端口 5432 上的 TCP/IP 连接？

错误日志

m3@localhost:~/repos/saleor-platform> docker-compose run --rm api python3 manage.py migrate
Creating network "saleor-platform_default" with the default driver
Creating network "saleor-platform_saleor-backend-tier" with driver "bridge"
Creating saleor-platform_jaeger_1 ... done
Creating saleor-platform_db_1     ... done
Creating saleor-platform_redis_1  ... done
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/django/db/backends/base/base.py", line 219, in ensure_connection
    self.connect()
  File "/usr/local/lib/python3.8/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/backends/base/base.py", line 200, in connect
    self.connection = self.get_new_connection(conn_params)
  File "/usr/local/lib/python3.8/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/backends/postgresql/base.py", line 187, in get_new_connection
    connection = Database.connect(**conn_params)
  File "/usr/local/lib/python3.8/site-packages/psycopg2/__init__.py", line 127, in connect
    conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
psycopg2.OperationalError: could not connect to server: No route to host
        Is the server running on host "db" (172.21.0.4) and accepting
        TCP/IP connections on port 5432?


The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python3.8/site-packages/django/core/management/__init__.py", line 401, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.8/site-packages/django/core/management/__init__.py", line 395, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python3.8/site-packages/django/core/management/base.py", line 330, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python3.8/site-packages/django/core/management/base.py", line 371, in execute
    output = self.handle(*args, **options)
  File "/usr/local/lib/python3.8/site-packages/django/core/management/base.py", line 85, in wrapped
    res = handle_func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/core/management/commands/migrate.py", line 92, in handle
    executor = MigrationExecutor(connection, self.migration_progress_callback)
  File "/usr/local/lib/python3.8/site-packages/django/db/migrations/executor.py", line 18, in __init__
    self.loader = MigrationLoader(self.connection)
  File "/usr/local/lib/python3.8/site-packages/django/db/migrations/loader.py", line 53, in __init__
    self.build_graph()
  File "/usr/local/lib/python3.8/site-packages/django/db/migrations/loader.py", line 216, in build_graph
    self.applied_migrations = recorder.applied_migrations()
  File "/usr/local/lib/python3.8/site-packages/django/db/migrations/recorder.py", line 77, in applied_migrations
    if self.has_table():
  File "/usr/local/lib/python3.8/site-packages/django/db/migrations/recorder.py", line 55, in has_table
    with self.connection.cursor() as cursor:
  File "/usr/local/lib/python3.8/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/backends/base/base.py", line 259, in cursor
    return self._cursor()
  File "/usr/local/lib/python3.8/site-packages/django/db/backends/base/base.py", line 235, in _cursor
    self.ensure_connection()
  File "/usr/local/lib/python3.8/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/backends/base/base.py", line 219, in ensure_connection
    self.connect()
  File "/usr/local/lib/python3.8/site-packages/django/db/utils.py", line 90, in __exit__
    raise dj_exc_value.with_traceback(traceback) from exc_value
  File "/usr/local/lib/python3.8/site-packages/django/db/backends/base/base.py", line 219, in ensure_connection
    self.connect()
  File "/usr/local/lib/python3.8/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/backends/base/base.py", line 200, in connect
    self.connection = self.get_new_connection(conn_params)
  File "/usr/local/lib/python3.8/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/db/backends/postgresql/base.py", line 187, in get_new_connection
    connection = Database.connect(**conn_params)
  File "/usr/local/lib/python3.8/site-packages/psycopg2/__init__.py", line 127, in connect
    conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
django.db.utils.OperationalError: could not connect to server: No route to host
        Is the server running on host "db" (172.21.0.4) and accepting
        TCP/IP connections on port 5432?

m3@localhost:~/repos/saleor-platform> 

试过了

可能是由于操作系统设置。我通过防火墙将 PostgreSQL 端口添加5432到公共端口，但仍然收到错误。

试过了

没用：

• 重启 Docker 服务
• 重新启动机器

试过了

以下命令没有帮助：

https://stackoverflow.com/a/57502873/3405291

通过以下方式获取Subnet( 172.19.0.0/16)：

docker network ls
docker inspect ${NETWORK_NAME}

然后：

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=172.19.0.0/16 accept'
sudo firewall-cmd --reload
sudo systemctl restart docker.service

试过了

这种方法不起作用，即将它添加到docker-compose.yml文件内的数据库服务中：

     environment:
       - POSTGRES_HOST_AUTH_METHOD=trust

https://unix.stackexchange.com/a/589519/158683

我运行这些命令在 openSUSE Tumbleweed 上安装 DNS 服务器依赖项：

sudo zypper in -t pattern dhcp_dns_server
sudo systemctl enable named.service
sudo systemctl start named.service

要配置 DNS 服务器，我正在按照本文档尝试 YAST2 ：

sudo yast2 dns-server

我打算example.com用 IP 地址配置域区域1.2.3.4。

我做了什么

我有一个主类型的 DNS 区域：

我的NS 记录选项卡是：

我的记录选项卡是：

问题

但是，保存配置会遇到问题：

警告

保存配置失败。更改设置？

我想不通。任何人都可以帮忙吗？

更新

由@JiriB 建议，我运行了这些命令并重新配置了 DNS 服务器。但观察结果和之前一样：

sudo systemctl revert named.service
sudo rpm  -qV bind
sudo cp /etc/named.conf.YaST-backup /etc/named.conf
sudo yast2 dns-server

我刚刚执行php -i | grep "Loaded Configuration File"以找出我的 PHP CLI 的配置文件的存储位置，但我得到：Loaded Configuration File => (none). 所以它加载默认设置作为后备。

如果没有加载配置文件，如何为 PHP CLI 启用 openssl 扩展？

目前我OpenSSL support => disabled (install ext/openssl)在打电话时得到php -i | grep -i "openssl"

由于我有问题，我正在从另一个站点重定向这个问题，我希望有人能指出我正确的方向。

问题>>>

A) 我们的外部提供商（通过 VPN 连接）需要访问“OpenSuse42.3”到特定端口，“nmap”或“ncat”工具显示为“已过滤”或“拒绝”。

B) 没有服务正在侦听这些端口。

C) 此服务器上没有运行防火墙。

D) 安全团队在防火墙上打开了这些端口，并证明连接已被服务器“OpenSuse42.3”重置。

测试从提供商 VPN 连接（从我的计算机）从“10.10.10.2”运行到“10.10.10.1”（问题服务器）

示例 1：来自“10.10.10.2”

nmap -sT -p1101,3050 10.10.10.1

 PORT     STATE    SERVICE
 1101/tcp filtered pt2-discover
 3050/tcp filtered gds_db

示例 2：来自“10.10.10.2”

数控 -z -v 10.10.10.1 1101

  Ncat: Version 7.50 ( https://nmap.org/ncat )
  Ncat: Connection refused.

数控-z-v 10.10.10.1 3050

  Ncat: Version 7.50 ( https://nmap.org/ncat )
  Ncat: Connection refused.

示例 3：在服务器“10.10.10.1”上

tcpdump -n -i eth0 端口 1101 或端口 3050 -v

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

13:00:28.940582 IP (tos 0x0, ttl 64, id 32383, offset 0, flags [DF], proto TCP (6), length 60) 
10.10.10.2.58000 > 10.10.10.1.1101: Flags [S], cksum 0xa3fc (correct), seq 3906215335, win 29200, 
options [mss 1460,sackOK,TS val 1388733400 ecr 0,nop,wscale 7], length 0

13:00:28.940662 IP (tos 0x0, ttl 64, id 40440, offset 0, flags [DF], proto TCP (6), length 40) 
10.10.10.1.1101 > 10.10.10.2.58000: Flags [R.], cksum 0x347b (correct), seq 0, ack 3906215336, win 0, 
length 0

13:00:31.263502 IP (tos 0x0, ttl 64, id 60627, offset 0, flags [DF], proto TCP (6), length 60) 
10.10.10.2.40830 > 10.10.10.1.3050: Flags [S], cksum 0x8bc2 (correct), seq 3504308280, win 29200, 
options [mss 1460,sackOK,TS val 1388735723 ecr 0,nop,wscale 7], length 0

13:00:31.263569 IP (tos 0x0, ttl 64, id 40888, offset 0, flags [DF], proto TCP (6), length 40) 
10.10.10.1.3050 > 10.10.10.2.40830: Flags [R.], cksum 0x2554 (correct), seq 0, ack 3504308281, win 0, 
length 0

但

只要我在服务器上放一些东西，比如“nc -l 1101”或“nc -l 3050”，问题就会消失，这是有道理的。据我所知，如果端口没有防火墙且服务未运行，“nmap”工具通常将端口状态显示为“关闭”，如果服务正在此端口上运行，则显示“打开”。

问题

端口是打开还是关闭？？？我认为我是正确的并且端口是开放的。我还要检查什么，因为提供商一直坚持在“10.10.10.1”上关闭端口，他无法继续工作。他使用测试作为 - “telnet 10.10.10.1 1101”。

如果在这种情况下有什么不清楚的地方，请告诉我，我会回复。

欣赏它！！！！

在这里运行 opensuse tumbleweed。我已经停止了防火墙并成功配置了爱普生网络打印机/扫描仪（XP-241）。打印和扫描（使用 skanlite）都可以正常工作。然后我再次启动防火墙并添加以下规则：

firewall-cmd --permanent --zone=public --add-source=192.168.1.47/32

但它没有用。当我打开 skanlite 时，它​​说在网络上找不到扫描仪。如果我停止防火墙，然后我按下按钮重新扫描网络，这次扫描仪找到了。还有什么可以阻止通信？

我来自 Ubuntu，我只是在配置新系统。在 ubuntu 上，以下规则足以允许与扫描仪通信：

-A ufw-user-input -i enp3s0 -s 192.168.1.47  -j accept

在firewalld上我还需要做什么？

    kimera:~ # firewall-cmd --zone=public --list-all 
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: enp3s0
      sources: 192.168.1.47/32
      services: dhcpv6-client ssh transmission-client
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: