Michael Hampton's questions

像我们许多人一样，我昨天花了很多时间更新了很多系统以减轻Meltdown 和 Spectre 攻击。据我了解，有必要安装两个软件包并重新启动：

kernel-3.10.0-693.11.6.el7.x86_64
microcode_ctl-2.1-22.2.el7.x86_64

我有两个安装了这些软件包并重新启动的 CentOS 7 系统。

根据 Red Hat 的说法，我可以通过检查这些 sysctl 并确保它们都为 1 来检查缓解状态。但是，在这些系统上，它们并不都是 1：

# cat /sys/kernel/debug/x86/pti_enabled
1
# cat /sys/kernel/debug/x86/ibpb_enabled
0
# cat /sys/kernel/debug/x86/ibrs_enabled
0

而且我也不能将它们设置为 1：

# echo 1 > /sys/kernel/debug/x86/ibpb_enabled
-bash: echo: write error: No such device
# echo 1 > /sys/kernel/debug/x86/ibrs_enabled
-bash: echo: write error: No such device

我确认英特尔微码似乎已在启动时加载：

# systemctl status microcode -l
● microcode.service - Load CPU microcode update
   Loaded: loaded (/usr/lib/systemd/system/microcode.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Fri 2018-01-05 16:42:25 UTC; 9min ago
  Process: 30383 ExecStart=/usr/bin/bash -c grep -l GenuineIntel /proc/cpuinfo | xargs grep -l -E "model[[:space:]]*: 79$" > /dev/null || echo 1 > /sys/devices/system/cpu/microcode/reload (code=exited, status=0/SUCCESS)
 Main PID: 30383 (code=exited, status=0/SUCCESS)

Jan 05 16:42:25 makrura systemd[1]: Starting Load CPU microcode update...
Jan 05 16:42:25 makrura systemd[1]: Started Load CPU microcode update.

Evendmesg似乎已经证实了这一点：

[    3.245580] microcode: CPU0 sig=0x50662, pf=0x10, revision=0xf
[    3.245627] microcode: CPU1 sig=0x50662, pf=0x10, revision=0xf
[    3.245674] microcode: CPU2 sig=0x50662, pf=0x10, revision=0xf
[    3.245722] microcode: CPU3 sig=0x50662, pf=0x10, revision=0xf
[    3.245768] microcode: CPU4 sig=0x50662, pf=0x10, revision=0xf
[    3.245816] microcode: CPU5 sig=0x50662, pf=0x10, revision=0xf
[    3.245869] microcode: CPU6 sig=0x50662, pf=0x10, revision=0xf
[    3.245880] microcode: CPU7 sig=0x50662, pf=0x10, revision=0xf
[    3.245924] microcode: CPU8 sig=0x50662, pf=0x10, revision=0xf
[    3.245972] microcode: CPU9 sig=0x50662, pf=0x10, revision=0xf
[    3.245989] microcode: CPU10 sig=0x50662, pf=0x10, revision=0xf
[    3.246036] microcode: CPU11 sig=0x50662, pf=0x10, revision=0xf
[    3.246083] microcode: CPU12 sig=0x50662, pf=0x10, revision=0xf
[    3.246131] microcode: CPU13 sig=0x50662, pf=0x10, revision=0xf
[    3.246179] microcode: CPU14 sig=0x50662, pf=0x10, revision=0xf
[    3.246194] microcode: CPU15 sig=0x50662, pf=0x10, revision=0xf
[    3.246273] microcode: Microcode Update Driver: v2.01 <[email protected]>, Peter Oruba

我有一个以前代号为 Broadwell 的 Intel CPU：

processor       : 15
vendor_id       : GenuineIntel
cpu family      : 6
model           : 86
model name      : Intel(R) Xeon(R) CPU D-1540 @ 2.00GHz
stepping        : 2
microcode       : 0xf
cpu MHz         : 2499.921
cache size      : 12288 KB
physical id     : 0
siblings        : 16
core id         : 7
cpu cores       : 8
apicid          : 15
initial apicid  : 15
fpu             : yes
fpu_exception   : yes
cpuid level     : 20
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb cat_l3 invpcid_single intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm rdt_a rdseed adx smap xsaveopt cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts
bogomips        : 3999.90
clflush size    : 64
cache_alignment : 64
address sizes   : 46 bits physical, 48 bits virtual
power management:

该cpuid实用程序报告：

# cpuid -1
Disclaimer: cpuid may not support decoding of all cpuid registers.
CPU:
   vendor_id = "GenuineIntel"
   version information (1/eax):
      processor type  = primary processor (0)
      family          = Intel Pentium Pro/II/III/Celeron/Core/Core 2/Atom, AMD Athlon/Duron, Cyrix M2, VIA C3 (6)
      model           = 0x6 (6)
      stepping id     = 0x2 (2)
      extended family = 0x0 (0)
      extended model  = 0x5 (5)
      (simple synth)  = Intel Xeon D-1500 (Broadwell-DE V1), 14nm
   miscellaneous (1/ebx):
      process local APIC physical ID = 0x9 (9)
      cpu count                      = 0x10 (16)
      CLFLUSH line size              = 0x8 (8)
      brand index                    = 0x0 (0)
   brand id = 0x00 (0): unknown
   feature information (1/edx):
      x87 FPU on chip                        = true
      virtual-8086 mode enhancement          = true
      debugging extensions                   = true
      page size extensions                   = true
      time stamp counter                     = true
      RDMSR and WRMSR support                = true
      physical address extensions            = true
      machine check exception                = true
      CMPXCHG8B inst.                        = true
      APIC on chip                           = true
      SYSENTER and SYSEXIT                   = true
      memory type range registers            = true
      PTE global bit                         = true
      machine check architecture             = true
      conditional move/compare instruction   = true
      page attribute table                   = true
      page size extension                    = true
      processor serial number                = false
      CLFLUSH instruction                    = true
      debug store                            = true
      thermal monitor and clock ctrl         = true
      MMX Technology                         = true
      FXSAVE/FXRSTOR                         = true
      SSE extensions                         = true
      SSE2 extensions                        = true
      self snoop                             = true
      hyper-threading / multi-core supported = true
      therm. monitor                         = true
      IA64                                   = false
      pending break event                    = true
   feature information (1/ecx):
      PNI/SSE3: Prescott New Instructions     = true
      PCLMULDQ instruction                    = true
      64-bit debug store                      = true
      MONITOR/MWAIT                           = true
      CPL-qualified debug store               = true
      VMX: virtual machine extensions         = true
      SMX: safer mode extensions              = true
      Enhanced Intel SpeedStep Technology     = true
      thermal monitor 2                       = true
      SSSE3 extensions                        = true
      context ID: adaptive or shared L1 data  = false
      FMA instruction                         = true
      CMPXCHG16B instruction                  = true
      xTPR disable                            = true
      perfmon and debug                       = true
      process context identifiers             = true
      direct cache access                     = true
      SSE4.1 extensions                       = true
      SSE4.2 extensions                       = true
      extended xAPIC support                  = true
      MOVBE instruction                       = true
      POPCNT instruction                      = true
      time stamp counter deadline             = true
      AES instruction                         = true
      XSAVE/XSTOR states                      = true
      OS-enabled XSAVE/XSTOR                  = true
      AVX: advanced vector extensions         = true
      F16C half-precision convert instruction = true
      RDRAND instruction                      = true
      hypervisor guest status                 = false
   cache and TLB information (2):
      0x63: data TLB: 1G pages, 4-way, 4 entries
      0x03: data TLB: 4K pages, 4-way, 64 entries
      0x76: instruction TLB: 2M/4M pages, fully, 8 entries
      0xff: cache data is in CPUID 4
      0xb5: instruction TLB: 4K, 8-way, 64 entries
      0xf0: 64 byte prefetching
      0xc3: L2 TLB: 4K/2M pages, 6-way, 1536 entries
   processor serial number: 0005-0662-0000-0000-0000-0000
   deterministic cache parameters (4):
      --- cache 0 ---
      cache type                           = data cache (1)
      cache level                          = 0x1 (1)
      self-initializing cache level        = true
      fully associative cache              = false
      extra threads sharing this cache     = 0x1 (1)
      extra processor cores on this die    = 0x7 (7)
      system coherency line size           = 0x3f (63)
      physical line partitions             = 0x0 (0)
      ways of associativity                = 0x7 (7)
      ways of associativity                = 0x0 (0)
      WBINVD/INVD behavior on lower caches = false
      inclusive to lower caches            = false
      complex cache indexing               = false
      number of sets - 1 (s)               = 63
      --- cache 1 ---
      cache type                           = instruction cache (2)
      cache level                          = 0x1 (1)
      self-initializing cache level        = true
      fully associative cache              = false
      extra threads sharing this cache     = 0x1 (1)
      extra processor cores on this die    = 0x7 (7)
      system coherency line size           = 0x3f (63)
      physical line partitions             = 0x0 (0)
      ways of associativity                = 0x7 (7)
      ways of associativity                = 0x0 (0)
      WBINVD/INVD behavior on lower caches = false
      inclusive to lower caches            = false
      complex cache indexing               = false
      number of sets - 1 (s)               = 63
      --- cache 2 ---
      cache type                           = unified cache (3)
      cache level                          = 0x2 (2)
      self-initializing cache level        = true
      fully associative cache              = false
      extra threads sharing this cache     = 0x1 (1)
      extra processor cores on this die    = 0x7 (7)
      system coherency line size           = 0x3f (63)
      physical line partitions             = 0x0 (0)
      ways of associativity                = 0x7 (7)
      ways of associativity                = 0x0 (0)
      WBINVD/INVD behavior on lower caches = false
      inclusive to lower caches            = false
      complex cache indexing               = false
      number of sets - 1 (s)               = 511
      --- cache 3 ---
      cache type                           = unified cache (3)
      cache level                          = 0x3 (3)
      self-initializing cache level        = true
      fully associative cache              = false
      extra threads sharing this cache     = 0xf (15)
      extra processor cores on this die    = 0x7 (7)
      system coherency line size           = 0x3f (63)
      physical line partitions             = 0x0 (0)
      ways of associativity                = 0xb (11)
      ways of associativity                = 0x6 (6)
      WBINVD/INVD behavior on lower caches = false
      inclusive to lower caches            = true
      complex cache indexing               = true
      number of sets - 1 (s)               = 16383
   MONITOR/MWAIT (5):
      smallest monitor-line size (bytes)       = 0x40 (64)
      largest monitor-line size (bytes)        = 0x40 (64)
      enum of Monitor-MWAIT exts supported     = true
      supports intrs as break-event for MWAIT  = true
      number of C0 sub C-states using MWAIT    = 0x0 (0)
      number of C1 sub C-states using MWAIT    = 0x2 (2)
      number of C2 sub C-states using MWAIT    = 0x1 (1)
      number of C3 sub C-states using MWAIT    = 0x2 (2)
      number of C4 sub C-states using MWAIT    = 0x0 (0)
      number of C5 sub C-states using MWAIT    = 0x0 (0)
      number of C6 sub C-states using MWAIT    = 0x0 (0)
      number of C7 sub C-states using MWAIT    = 0x0 (0)
   Thermal and Power Management Features (6):
      digital thermometer                     = true
      Intel Turbo Boost Technology            = true
      ARAT always running APIC timer          = true
      PLN power limit notification            = true
      ECMD extended clock modulation duty     = true
      PTM package thermal management          = true
      HWP base registers                      = false
      HWP notification                        = false
      HWP activity window                     = false
      HWP energy performance preference       = false
      HWP package level request               = false
      HDC base registers                      = false
      digital thermometer thresholds          = 0x2 (2)
      ACNT/MCNT supported performance measure = true
      ACNT2 available                         = false
      performance-energy bias capability      = true
   extended feature flags (7):
      FSGSBASE instructions                    = true
      IA32_TSC_ADJUST MSR supported            = true
      SGX: Software Guard Extensions supported = false
      BMI instruction                          = true
      HLE hardware lock elision                = true
      AVX2: advanced vector extensions 2       = true
      FDP_EXCPTN_ONLY                          = false
      SMEP supervisor mode exec protection     = true
      BMI2 instructions                        = true
      enhanced REP MOVSB/STOSB                 = true
      INVPCID instruction                      = true
      RTM: restricted transactional memory     = true
      QM: quality of service monitoring        = true
      deprecated FPU CS/DS                     = true
      intel memory protection extensions       = false
      PQE: platform quality of service enforce = true
      AVX512F: AVX-512 foundation instructions = false
      AVX512DQ: double & quadword instructions = false
      RDSEED instruction                       = true
      ADX instructions                         = true
      SMAP: supervisor mode access prevention  = true
      AVX512IFMA: fused multiply add           = false
      CLFLUSHOPT instruction                   = false
      CLWB instruction                         = false
      Intel processor trace                    = true
      AVX512PF: prefetch instructions          = false
      AVX512ER: exponent & reciprocal instrs   = false
      AVX512CD: conflict detection instrs      = false
      SHA instructions                         = false
      AVX512BW: byte & word instructions       = false
      AVX512VL: vector length                  = false
      PREFETCHWT1                              = false
      AVX512VBMI: vector byte manipulation     = false
      UMIP: user-mode instruction prevention   = false
      PKU protection keys for user-mode        = false
      OSPKE CR4.PKE and RDPKRU/WRPKRU          = false
      BNDLDX/BNDSTX MAWAU value in 64-bit mode = 0x0 (0)
      RDPID: read processor D supported        = false
      SGX_LC: SGX launch config supported      = false
      AVX512_4VNNIW: neural network instrs     = false
      AVX512_4FMAPS: multiply acc single prec  = false
   Direct Cache Access Parameters (9):
      PLATFORM_DCA_CAP MSR bits = 1
   Architecture Performance Monitoring Features (0xa/eax):
      version ID                               = 0x3 (3)
      number of counters per logical processor = 0x4 (4)
      bit width of counter                     = 0x30 (48)
      length of EBX bit vector                 = 0x7 (7)
   Architecture Performance Monitoring Features (0xa/ebx):
      core cycle event not available           = false
      instruction retired event not available  = false
      reference cycles event not available     = false
      last-level cache ref event not available = false
      last-level cache miss event not avail    = false
      branch inst retired event not available  = false
      branch mispred retired event not avail   = false
   Architecture Performance Monitoring Features (0xa/edx):
      number of fixed counters    = 0x3 (3)
      bit width of fixed counters = 0x30 (48)
   x2APIC features / processor topology (0xb):
      --- level 0 (thread) ---
      bits to shift APIC ID to get next = 0x1 (1)
      logical processors at this level  = 0x2 (2)
      level number                      = 0x0 (0)
      level type                        = thread (1)
      extended APIC ID                  = 9
      --- level 1 (core) ---
      bits to shift APIC ID to get next = 0x4 (4)
      logical processors at this level  = 0x10 (16)
      level number                      = 0x1 (1)
      level type                        = core (2)
      extended APIC ID                  = 9
   XSAVE features (0xd/0):
      XCR0 lower 32 bits valid bit field mask = 0x00000007
      XCR0 upper 32 bits valid bit field mask = 0x00000000
         XCR0 supported: x87 state            = true
         XCR0 supported: SSE state            = true
         XCR0 supported: AVX state            = true
         XCR0 supported: MPX BNDREGS          = false
         XCR0 supported: MPX BNDCSR           = false
         XCR0 supported: AVX-512 opmask       = false
         XCR0 supported: AVX-512 ZMM_Hi256    = false
         XCR0 supported: AVX-512 Hi16_ZMM     = false
         IA32_XSS supported: PT state         = false
         XCR0 supported: PKRU state           = false
      bytes required by fields in XCR0        = 0x00000340 (832)
      bytes required by XSAVE/XRSTOR area     = 0x00000340 (832)
   XSAVE features (0xd/1):
      XSAVEOPT instruction                        = true
      XSAVEC instruction                          = false
      XGETBV instruction                          = false
      XSAVES/XRSTORS instructions                 = false
      SAVE area size in bytes                     = 0x00000000 (0)
      IA32_XSS lower 32 bits valid bit field mask = 0x00000000
      IA32_XSS upper 32 bits valid bit field mask = 0x00000000
   AVX/YMM features (0xd/2):
      AVX/YMM save state byte size             = 0x00000100 (256)
      AVX/YMM save state byte offset           = 0x00000240 (576)
      supported in IA32_XSS or XCR0            = XCR0 (user state)
      64-byte alignment in compacted XSAVE     = false
   Quality of Service Monitoring Resource Type (0xf/0):
      Maximum range of RMID = 63
      supports L3 cache QoS monitoring = false
   L3 Cache Quality of Service Monitoring (0xf/1):
      Conversion factor from IA32_QM_CTR to bytes = 32768
      Maximum range of RMID                       = 63
      supports L3 occupancy monitoring       = true
      supports L3 total bandwidth monitoring = true
      supports L3 local bandwidth monitoring = true
   Resource Director Technology allocation (0x10/0):
      L3 cache allocation technology supported = true
      L2 cache allocation technology supported = false
   L3 Cache Allocation Technology (0x10/1):
      length of capacity bit mask - 1 = 0xb (11)
      Bit-granular map of isolation/contention    = 0x00000c00
      infrequent updates of COS              = true
      code and data prioritization supported = false
      highest COS number supported = 0xb (11)
   0x00000011 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
   SGX capability (0x12/0):
      SGX1 supported                         = false
      SGX2 supported                         = false
      MISCSELECT.EXINFO supported: #PF & #GP = false
      MaxEnclaveSize_Not64 (log2)            = 0x0 (0)
      MaxEnclaveSize_64 (log2)               = 0x0 (0)
   0x00000013 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
   Intel Processor Trace (0x14):
      IA32_RTIT_CR3_MATCH is accessible      = true
      configurable PSB & cycle-accurate      = false
      IP & TraceStop filtering; PT preserve  = false
      MTC timing packet; suppress COFI-based = false
      PTWRITE support                        = false
      power event trace support              = false
      IA32_RTIT_CTL can enable tracing  = true
      ToPA can hold many output entries = false
      single-range output scheme        = false
      output to trace transport         = false
      IP payloads have LIP values & CS  = false
   extended feature flags (0x80000001/edx):
      SYSCALL and SYSRET instructions        = true
      execution disable                      = true
      1-GB large page support                = true
      RDTSCP                                 = true
      64-bit extensions technology available = true
   Intel feature flags (0x80000001/ecx):
      LAHF/SAHF supported in 64-bit mode     = true
      LZCNT advanced bit manipulation        = true
      3DNow! PREFETCH/PREFETCHW instructions = true
   brand = "Intel(R) Xeon(R) CPU D-1540 @ 2.00GHz"
   L1 TLB/cache information: 2M/4M pages & L1 TLB (0x80000005/eax):
      instruction # entries     = 0x0 (0)
      instruction associativity = 0x0 (0)
      data # entries            = 0x0 (0)
      data associativity        = 0x0 (0)
   L1 TLB/cache information: 4K pages & L1 TLB (0x80000005/ebx):
      instruction # entries     = 0x0 (0)
      instruction associativity = 0x0 (0)
      data # entries            = 0x0 (0)
      data associativity        = 0x0 (0)
   L1 data cache information (0x80000005/ecx):
      line size (bytes) = 0x0 (0)
      lines per tag     = 0x0 (0)
      associativity     = 0x0 (0)
      size (KB)         = 0x0 (0)
   L1 instruction cache information (0x80000005/edx):
      line size (bytes) = 0x0 (0)
      lines per tag     = 0x0 (0)
      associativity     = 0x0 (0)
      size (KB)         = 0x0 (0)
   L2 TLB/cache information: 2M/4M pages & L2 TLB (0x80000006/eax):
      instruction # entries     = 0x0 (0)
      instruction associativity = L2 off (0)
      data # entries            = 0x0 (0)
      data associativity        = L2 off (0)
   L2 TLB/cache information: 4K pages & L2 TLB (0x80000006/ebx):
      instruction # entries     = 0x0 (0)
      instruction associativity = L2 off (0)
      data # entries            = 0x0 (0)
      data associativity        = L2 off (0)
   L2 unified cache information (0x80000006/ecx):
      line size (bytes) = 0x40 (64)
      lines per tag     = 0x0 (0)
      associativity     = 8-way (6)
      size (KB)         = 0x100 (256)
   L3 cache information (0x80000006/edx):
      line size (bytes)     = 0x0 (0)
      lines per tag         = 0x0 (0)
      associativity         = L2 off (0)
      size (in 512KB units) = 0x0 (0)
   Advanced Power Management Features (0x80000007/edx):
      temperature sensing diode      = false
      frequency ID (FID) control     = false
      voltage ID (VID) control       = false
      thermal trip (TTP)             = false
      thermal monitor (TM)           = false
      software thermal control (STC) = false
      100 MHz multiplier control     = false
      hardware P-State control       = false
      TscInvariant                   = true
   Physical Address and Linear Address Size (0x80000008/eax):
      maximum physical address bits         = 0x2e (46)
      maximum linear (virtual) address bits = 0x30 (48)
      maximum guest physical address bits   = 0x0 (0)
   Logical CPU cores (0x80000008/ecx):
      number of CPU cores - 1 = 0x0 (0)
      ApicIdCoreIdSize        = 0x0 (0)
   (multi-processing synth): multi-core (c=8), hyper-threaded (t=2)
   (multi-processing method): Intel leaf 0xb
   (APIC widths synth): CORE_width=4 SMT_width=1
   (APIC synth): PKG_ID=0 CORE_ID=4 SMT_ID=1
   (synth) = Intel Xeon D-1500 (Broadwell-DE V1), 14nm

该系统完全是最新的：

# yum upgrade
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.mirror.colo-serv.net
 * epel: mirror.steadfast.net
 * extras: centos.mirror.colo-serv.net
 * updates: centos.mirror.colo-serv.net
No packages marked for update

我觉得我错过了一些重要的事情，但在这一点上我真的不知道它可能是什么。这里发生了什么？如何让系统完全缓解？

我在 Fedora 27 工作站、具有 Core i7-3770 CPU 的台式机和具有 Core i7-7500U 的笔记本电脑上也看到了相同的行为。

这真是搞乱了我备份这台机器的计划......

我有一台服务器，它是多个虚拟机的 KVM 管理程序。其中之一是运行 Docker。它在 /dev/vdb 上有其 Docker 卷，该卷设置为 LVM PV，Docker 在其上使用其 direct-lvm 驱动程序来存储 Docker 容器数据。此虚拟磁盘是主机本地磁盘上的 LVM LV。

主机和来宾都运行 Fedora 21。

主持人对该卷的看法是（仅显示相关卷）：

[root@host ~]# lvs
  LV                           VG         Attr       LSize
  docker2.example.com-volumes vm-volumes -wi-ao---- 40.00g
[root@host ~]# dmsetup ls --tree
vm--volumes-docker2.example.com--volumes (253:10)
 └─ (9:125)

客人对该卷的看法是（同样，仅显示相关卷）：

[root@docker2 ~]# pvs
  PV         VG             Fmt  Attr PSize  PFree
  /dev/vdb   docker-volumes lvm2 a--  40.00g    0 

使用主机上的所有其他 LVM 卷，我可以使用 拍摄快照lvcreate --snapshot，备份快照，然后lvremove它没有问题。但是对于这个特定的卷，我不能lvremove这样做，因为它正在使用中：

[root@host ~]# lvremove /dev/vm-volumes/snap-docker2.example.com-volumes 
  Logical volume vm-volumes/snap-docker2.example.com-volumes is used by another device.

最终我发现主机上的设备映射器以某种方式发现这个逻辑卷快照包含一个 LVM PV，然后继续将快照中的逻辑卷映射到主机（仅显示相关卷）：

[root@host ~]# dmsetup ls --tree
vm--volumes-docker2.example.com--volumes (253:10)
 └─vm--volumes-docker2.example.com--volumes-real (253:14)
    └─ (9:125)
docker--volumes-docker--data (253:18)
 └─vm--volumes-snap--docker2.example.com--volumes (253:16)
    ├─vm--volumes-snap--docker2.example.com--volumes-cow (253:15)
    │  └─ (9:125)
    └─vm--volumes-docker2.example.com--volumes-real (253:14)
       └─ (9:125)
docker--volumes-docker--meta (253:17)
 └─vm--volumes-snap--docker2.example.com--volumes (253:16)
    ├─vm--volumes-snap--docker2.example.com--volumes-cow (253:15)
    │  └─ (9:125)
    └─vm--volumes-docker2.example.com--volumes-real (253:14)
       └─ (9:125)

这些与 VM 内的逻辑卷完全对应：

[root@docker2 ~]# lvs
  LV          VG             Attr       LSize
  docker-data docker-volumes -wi-ao---- 39.95g
  docker-meta docker-volumes -wi-ao---- 44.00m

值得注意的是，它不会在系统启动时尝试对 LVM LV 执行此操作，而是仅在我拍摄快照时尝试这样做。

这里发生了什么？我真的不希望设备映射器检查 LVM 快照的内容以查看其中是否有任何内容无法为我映射。我可以抑制这种行为吗？还是我需要通过其他方法创建快照？

Zabbix 能够监控支持 SNMP 的设备，甚至在其 Web 界面中显示它们的状态：

绿色图标表示 Zabbix 正在接收数据。

红色图标表示 Zabbix 没有接收数据。

但是，如果 SNMP 设备不可用，我找不到任何明显的方法让 Zabbix 通知我。

今天我发现我的一台服务器磁盘空间不足；磁盘正在被 SNMP 监控，但 Zabbix 自 12 月 15 日以来没有收到任何数据！在那段时间里，它一直显示这个红色图标，但我没有理由在那段时间查看主机列表，因此我错过了它。直到今天服务器因磁盘空间不足而死机，我的手机在晚餐中响起......

在调查中，我当然发现snmpd is stopped。我本来希望在两个月前收到通知！

发生这种情况时，Zabbix 不应该生成事件吗？Zabbix 手册没有提及它。而谷歌只想告诉我如何监控特定的 OID。当 SNMP 设备根本没有响应时，我如何获得通知？

显而易见的方法是创建一个触发器，尽管我不知道这个数据点可能有什么项目名称（同样，它不在手册中，也没有从谷歌得到）。

服务器是 Zabbix 2.0.9，我使用的是它内置的 Template SNMP Disks 模板。

您可能知道，默认情况下，当您在基于 Debian 或 Ubuntu 的系统上安装软件包时，如果该软件包包含服务，则该服务通常会在您安装该软件包时自动启用并启动。

这对我来说是个问题。

我发现自己需要管理用于构建 LXC 容器的模板。有几个容器，每个容器对应一个 Debian 或 Ubuntu 版本。（也有基于 Red Hat 的容器，但它们在这里不相关。）

/var/lib/libvirt/filesystems/debian6_template
/var/lib/libvirt/filesystems/debian7_template
/var/lib/libvirt/filesystems/ubuntu1004_template
/var/lib/libvirt/filesystems/ubuntu1204_template

有时我会发现模板缺少包或需要进行其他更改，因此我将 chroot 进入它们以安装包。不幸的是，当我这样做时，我最终运行了几个包服务的副本！

例如，我发现模板没有系统日志守护程序，所以我安装了一个：

for template in /var/lib/libvirt/filesystems/{debian,ubuntu}*_template; do
    chroot $template apt-get install rsyslog
done

并立即运行了四个 rsyslog 副本。更不用说两份exim4了。哎呀！

我在某处读到（虽然我现在找不到了）它不应该在 chroot 中运行时启动服务，但这显然不会发生在这里。

一个可能可行的讨厌的黑客要求临时替换实际启动服务的各种命令，例如start-stop-daemonand initctl，尽管这比我真正想做的工作要多得多。如果我别无选择，虽然...

这里理想的解决方案是让基于 Debian 的系统停止做这种废话，但如果做不到这一点，可能是一个晦涩的或未记录的命令行选项apt-get？

如果不清楚，如果可能的话，我真的想保留与管理模板之外的模板相关的任何内容。

我有两台主机试图相互建立 IPSec 连接。为此，它们必须在 UDP 端口 500 和 4500 上进行通信，因此我在两端的防火墙中打开了它们（如相关部分所示）：

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m udp -p udp --dport 500 -j ACCEPT
-A INPUT -m udp -p udp --dport 4500 -j ACCEPT
#.....
-A INPUT -j REJECT --reject-with icmp6-port-unreachable

但是，密钥交换永远不会成功。每一方都不断尝试一遍又一遍地重新传输 UDP 数据包，从未听到任何响应，直到他们最终放弃。

我从tcpdump一端开始，观察到 UDP 数据包被分片，并且在第二个分片进入后返回了一个无法访问的 ICMP 端口。

此类失败交换的示例（为保护您而进行了清理）：

04:00:43.311572 IP6 (hlim 51, next-header Fragment (44) payload length: 1240) 2001:db8::be6b:d879 > 2001:db8:f:608::2: frag (0x5efa507c:0|1232) ipsec-nat-t > ipsec-nat-t: NONESP-encap: isakmp 2.0 msgid 00000001 cookie 55fa7f39522011ef->f8259707aad5f995: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1596/ip 1220)
04:00:43.311597 IP6 (hlim 51, next-header Fragment (44) payload length: 384) 2001:db8::be6b:d879 > 2001:db8:f:608::2: frag (0x5efa507c:1232|376)
04:00:43.311722 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 432) 2001:db8:f:608::2 > 2001:db8::be6b:d879: [icmp6 sum ok] ICMP6, destination unreachable, length 432, unreachable port[|icmp6]

防火墙记录了有关此数据包的以下内容：

Aug 26 04:00:43 grummle kernel: iptables: REJECT IN=eth0 OUT= MAC=############### SRC=2001:0db8:0000:0000:0000:0000:be6b:d879 DST=2001:0db8:000f:0608:0000:0000:0000:0002 LEN=424 TC=0 HOPLIMIT=51 FLOWLBL=0 OPT ( FRAG:1232 ID:5efa507c ) PROTO=UDP

我的印象是 Linux 在将片段传递给数据包过滤器之前会自动重新组装片段。那么为什么这些片段没有被重新组装，因此第二个片段随后被拒绝？

我正在设置一个 FreeIPA 域。在我的实验室里有三个虚拟机：域控制器ipadc1和两个客户端puppet和wordpress（有创意，是的，我知道）。所有三个虚拟机都运行新安装的 CentOS 6.4 (FreeIPA 3.0.0)。

我已经安装了 IPA 服务器，创建了一个我们将example.us在这里调用的域，并启用了 DNS 服务和自动 DNS 更新。

我已成功将两个虚拟机加入域。但动态 DNS 更新只是将 AAAA 记录放入 DNS。没有插入任何 A 记录。

我的动态更新和 BIND 更新策略的 DNS 区域设置似乎也是正确的。

两个客户端虚拟机实际上都有IPv4 地址；puppet具有静态 IPv4 地址并wordpress从 DHCP 获取其 IPv4 地址。这似乎没有什么不同。

# ip a s dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:3c:d5:f5 brd ff:ff:ff:ff:ff:ff
    inet 172.25.50.227/24 brd 172.25.50.255 scope global eth0
    inet6 2001:db8:16:bf:5054:ff:fe3c:d5f5/64 scope global dynamic 
       valid_lft 86180sec preferred_lft 14180sec
    inet6 fe80::5054:ff:fe3c:d5f5/64 scope link 
       valid_lft forever preferred_lft forever

问题实际上似乎出在 sssd 上，我了解到它实际上负责推送动态 DNS 更新。我开始调试debug_level = 9并在日志中发现了这一点。这似乎表明 sssd 甚至没有尝试发送 A 记录，尽管它并没有真正告诉我原因。

(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_update_send] (0x4000): Performing update
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ok_for_dns] (0x0200): Multicast IPv4 address 172.25.50.227
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ok_for_dns] (0x0200): Link local IPv6 address fe80::5054:ff:fe3c:d5f5
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_gss_tsig_update_step] (0x1000): Checking if the update is needed
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_get_family_order] (0x1000): Lookup order: ipv6_first
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_is_address] (0x4000): [wordpress.example.us] does not look like an IP address
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'wordpress.example.us' in DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'wordpress.example.us' in DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_is_address] (0x4000): [wordpress.example.us] does not look like an IP address
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'wordpress.example.us' in DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_gss_tsig_update_check] (0x1000): Address on localhost only: 2001:db8:16:bf:5054:ff:fe3c:d5f5
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_gss_tsig_update_check] (0x0400): Detected IP addresses change, will perform an update
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [create_nsupdate_message] (0x0200): Creating update message for realm [EXAMPLE.US] and zone [example.us].
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [create_nsupdate_message] (0x0400):  -- Begin nsupdate message --
realm EXAMPLE.US
zone example.us.
update delete wordpress.example.us. in A
send
update delete wordpress.example.us. in AAAA
send
update add wordpress.example.us. 86400 in AAAA 2001:db8:16:bf:5054:ff:fe3c:d5f5
send
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [create_nsupdate_message] (0x0400):  -- End nsupdate message --
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [2144]
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_handler_setup] (0x2000): Signal handler set up for pid [2144]
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [write_pipe_handler] (0x0400): All data has been sent!
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_stdin_done] (0x4000): Sending nsupdate data complete
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_sig_handler] (0x1000): Waiting for child [2144].
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_sig_handler] (0x0100): child [2144] finished successfully.
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_update_done] (0x0020): DNS update finished

我sssd.conf的是：

[domain/example.us]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.us
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = wordpress.example.us
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipadc1.example.us
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = example.us
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

结果ipa dnszone-show example.us --all是：

  dn: idnsname=example.us,cn=dns,dc=example,dc=us
  Zone name: example.us
  Authoritative nameserver: ipadc1.example.us.
  Administrator e-mail address: hostmaster.example.us.
  SOA serial: 1374982142
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.US krb5-self * A; grant EXAMPLE.US krb5-self
                      * AAAA; grant EXAMPLE.US krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
  mxrecord: 0 mail.example.us
  nsrecord: ipadc1.example.us.
  objectclass: top, idnsrecord, idnszone
  txtrecord: v=spf1 a mx -all

虽然这对我来说确实是一个小问题，因为我可以在没有 IPv4 DNS 更新的情况下上线（很高兴成为 100% 双栈），但不知道这里发生了什么仍然很烦人。也许有一些我错过的日志可以说明情况？

（哦，是的，我将其关闭并再次打开。）

我经常听到它建议通过将用户帐户的外壳设置为/bin/false. 但是，在我现有的 Linux 系统上，我看到大量现有帐户（所有这些帐户都是服务帐户）都有一个外壳/sbin/nologin。

我从手册页中看到/sbin/nologin向用户打印一条消息，说明该帐户已被禁用，然后退出。大概/bin/false不会打印任何东西。

我还看到它/sbin/nologin列在 中/etc/shells，而/bin/false没有。

手册页说 FTP 将禁用具有未列出的 shell 的用户的访问权限，/etc/shells并暗示其他程序可能会这样做。这是否意味着有人可以使用具有/sbin/nologin外壳的帐户进行 FTP 访问？

这里有什么区别？我应该使用其中哪一个来禁用用户帐户，以及在什么情况下？上市还有哪些其他影响/etc/shells？

我目前正在评估 Server 2012 以用作 Linux 和 Windows 工作站和服务器的小型异构网络中的域控制器，所有这些最终都会加入到域中。这是一个 100% 双栈网络；每个设备都有 IPv4 和 IPv6 连接。路由器是运行 radvd 1.9.1 和各种其他必需品的 Linux 服务器。

我刚刚安装了第一个域控制器；它的域名是ad.businessname.com（这里businessname.com由外部DNS服务器处理；该域还有公共网站、电子邮件等，这些暂时不会加入域）。它是安装了 AD DS 和 DNS 角色的服务器核心。一切似乎都很好，我正准备设置第二个 DC 并开始加入计算机，但是......

现在我的网络上有额外的 IPv6 路由器广告，广告Unique Local Addresses。它还通告实际路由器通告的本机 IPv6 前缀。起初我以为这些 RA 来自域控制器，因为当我关闭它时它们消失了，但在运行 Wireshark 后我发现它们来自我的实际 IPv6 路由器。Wireshark 显示此版本的 RA 紧随来自 DC 的 fd4a:e7ab:34a5::1 邻居请求之后。

奇怪的是，当域控制器不在网络上时，路由器还会发送它通常发送的原始路由通告。此版本的 RA 匹配/etc/radvd.conf（副本如下）。与 Wireshark 的快速会话确认路由器通告的两个版本都来自正在运行的 Linux 路由器的 MAC 地址radvd。

到目前为止，这些似乎无害，因为我的 IPv6 连接没有因额外 RA 的存在而中断。但由于我已经拥有全球 IPv6 连接，ULA 似乎是不必要和不需要的。

我昨晚和今天花了很多时间在互联网上搜索，试图弄清楚发生了什么，但除了暗示它可能与 IP Helper 服务有关（以及模糊的警告不要把它关掉）。但据我所知，当本机 IPv6 可用时禁用此服务应该是安全的。

所以我的问题是：

• 为什么 Windows 为 ULA 网络发送邻居请求？
• 为什么发送这些 RA，显然是作为回应？
• 为什么除了我的本地地址之外，他们还要宣传 ULA？
• 这不会导致以后的 IPv6 路由出现问题吗？
• 我必须忍受这个吗，或者我怎样才能让 Windows 和 radvd 正常运行？

各种配置信息如下：

这是已发送的捕获的 RA（如图所示，radvdumpIMO 比 wireshark 的输出更易于阅读）。您可以看到它正在通告 ULA 和公共前缀（此处模糊）。当我关闭域控制器时，这个版本的 RA 不再出现在网络上。

#
# radvd configuration generated by radvdump 1.9.1
# based on Router Advertisement from fe80::20c:29ff:fef4:66f1
# received by interface eth0
#

interface eth0
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag off;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 0;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvSourceLLAddress on;
        AdvLinkMTU 1500;

        prefix fd4a:e7ab:34a5::/64
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 86400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition


        prefix 2001:db8:16:bf::/64
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 86400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition


        RDNSS fd4a:e7ab:34a5::1
        {
                AdvRDNSSLifetime 86400;
        }; # End of RDNSS definition


        DNSSL businessname.com
        {
                AdvDNSSLLifetime 1800;
        }; # End of DNSSL definition

}; # End of interface definition

这是原始的路由器广告，它与路由器的广告相匹配，/etc/radvd.conf并且仍在发送到网络上，与上面的广告交替出现：

#
# radvd configuration generated by radvdump 1.9.1
# based on Router Advertisement from fe80::20c:29ff:fef4:66f1
# received by interface eth0
#

interface eth0
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag off;
        AdvOtherConfigFlag off;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvSourceLLAddress on;

        prefix 2001:db8:16:bf::/64
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 14400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition


        RDNSS 2001:4860:4860::8888 2001:4860:4860::8844
        {
                AdvRDNSSLifetime 600;
        }; # End of RDNSS definition

}; # End of interface definition

域控制器上安装的角色/功能列表：

[dc1]: PS C:\Users\Administrator\Documents> Get-WindowsFeature | where {$_.InstallState -eq "Installed"}

Display Name                                            Name                       Install State
------------                                            ----                       -------------
[X] Active Directory Domain Services                    AD-Domain-Services             Installed
[X] DNS Server                                          DNS                            Installed
[X] File And Storage Services                           FileAndStorage-Services        Installed
    [X] File and iSCSI Services                         File-Services                  Installed
        [X] File Server                                 FS-FileServer                  Installed
    [X] Storage Services                                Storage-Services               Installed
[X] .NET Framework 4.5 Features                         NET-Framework-45-Fea...        Installed
    [X] .NET Framework 4.5                              NET-Framework-45-Core          Installed
    [X] WCF Services                                    NET-WCF-Services45             Installed
        [X] TCP Port Sharing                            NET-WCF-TCP-PortShar...        Installed
[X] Group Policy Management                             GPMC                           Installed
[X] Remote Server Administration Tools                  RSAT                           Installed
    [X] Role Administration Tools                       RSAT-Role-Tools                Installed
        [X] AD DS and AD LDS Tools                      RSAT-AD-Tools                  Installed
            [X] Active Directory module for Windows ... RSAT-AD-PowerShell             Installed
[X] Windows PowerShell                                  PowerShellRoot                 Installed
    [X] Windows PowerShell 3.0                          PowerShell                     Installed
[X] WoW64 Support                                       WoW64-Support                  Installed

根据聊天中的要求，以太网接口的 IPv6 配置：

[dc1]: PS C:\Users\Administrator\Documents> netsh interface ipv6 show interface interface=Ethernet

Interface Ethernet Parameters
----------------------------------------------
IfLuid                             : ethernet_7
IfIndex                            : 12
State                              : connected
Metric                             : 10
Link MTU                           : 1500 bytes
Reachable Time                     : 33500 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 64
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
ECN capability                     : application

这是一个关于 IPv6 子网划分的规范问题。

有关的：

• IPv4 子网划分如何工作？

我对IPv4 子网划分了解很多，当我准备（部署|工作）一个 IPv6 网络时，我需要知道这些知识中有多少是可转移的，以及我还需要学习什么。乍一看，IPv6 似乎比 IPv4 复杂得多。所以我想知道：

• IPv6 是 128 位，那么为什么 /64 是主机推荐的最小子网？与此相关：
  • 为什么建议对路由器之间的点对点链接使用 /127，为什么过去不建议这样做？我应该更改现有路由器链接以使用 /127 吗？
  • 为什么要为虚拟机提供少于 /64 的地址？
  • 在其他情况下我会使用小于 /64 的子网吗？
• 我可以直接从 IPv4 子网映射到 IPv6 子网吗？例如，IPv4 /24 是否直接对应于 IPv6 /56 或 /120？
• 我的接口有多个 IPv6 地址。所有子网都必须相同吗？
• 为什么我有时会在 IPv6 地址中看到 % 而不是 /，这是什么意思？
• 我是否浪费了太多子网？我们不是又要跑出去了吗？
• IPv6 子网划分与 IPv4 子网划分在哪些其他主要方面不同？

我在 KVM 虚拟机中虚拟运行 Windows Server 2008 R2。

最近虚拟机决定停止启动，并提出启动启动修复。但是，进入启动修复后，虚拟硬盘无处可寻。

我挂载了 Red Hat Enterprise Virtualization 提供的 Windows Guest Tools ISO 映像，然后发现（实际上记得）Red Hat 以可安装的 .msi 文件形式提供 virtio guest 驱动程序，而不是 Startup Repair 可以使用的格式。

如何让“启动修复”找到磁盘以便完成修复？

我使用 git 部署了一个 Drupal 网站（嗯，好的，开发人员部署它；我尽量让他们远离麻烦），因此该网站在文档根目录中有一个目录.git和一个文件.gitignore。

目前，如果在 Web 浏览器中访问这些文件，这些文件的权限足以导致 nginx 返回 403 Forbidden 错误。

但是，我希望 nginx 完全否认这个文件和目录的存在，如果有人试图在浏览器中访问它们，则返回 404。

但是等等，还有更多！

我真正想要发生的是让浏览器接收到 Drupal 生成的 404 错误页面。在 Drupal 的admin/settings/error-reporting页面中，我看到 404 错误被发送到http://www.example.com/404error，这是一个 Drupal 节点，具有 Internet 上更有趣的 404 页面之一。

我的 nginx 配置已经包含一个@drupal将请求传递给 Drupal 的块。所以我想将请求传递给 Drupal，但我也不希望 Drupal 尝试提供现有的静态文件，而是简单地提供 404 页面。

location @drupal {
    rewrite ^/(.+)$        /index.php?q=$1 last;
}

不幸的是，谷歌在这里并没有太大帮助。大多数人似乎都有相反的问题。如何将.git目录或.gitignore文件中的任何内容请求发送到 Drupal 的 404 页面？

我正在尝试在 CentOS 6.3 上设置 Zenoss 4.2.0 以通过 IPv6 监控远程 MySQL 5.5.25a 服务器。防火墙为监控服务器打开，我可以从命令行正常连接：

[root@zenoss ~]# mysql -u zenoss -p -h 2001:db8:81:2c::2
...
mysql> SELECT USER(),CURRENT_USER();
+-----------------------------------------+-----------------------------------------+
| USER()                                  | CURRENT_USER()                          |
+-----------------------------------------+-----------------------------------------+
| zenoss@2001:db8:16:bf:5054:ff:fec0:f7a5 | zenoss@2001:db8:16:bf:5054:ff:fec0:f7a5 |
+-----------------------------------------+-----------------------------------------+
1 row in set (0.09 sec)

然而，Zenoss 生成了一个事件“No performance data from plugin”，其详细信息抱怨它无法连接到服务器：

MySQL Error: (2003, "Can't connect to MySQL server on '2001:db8:81:2c::2' (-9)")

据我所知，-9 甚至不是一个有效的错误号。当然，用谷歌搜索负数是不可能的。

我检查了 zMySqlUsername 和 zMySqlPassword - 不止一次 - 它们具有正确的值。

我也试过用括号输入 IPv6 地址，但 MySQL 根本不喜欢这样，无论是在 Zenoss 中还是在命令行中。

这个问题的原因是什么？

我一直在创建和销毁虚拟机，以测试各种服务或应用程序，所以我想使用 avahi 通过它们的名称连接到它们，这样我就不必在脑海中占用宝贵的空间对于明天可能会消失的动态 IP 地址。这似乎并不总是有效。

我目前有两台 CentOS 6.3 虚拟机，都运行着 avahi-daemon，但无法通过名称访问其中一台。

问题机器：

error@underground ~ $ ssh nagios.local
ssh: Could not resolve hostname nagios.local: Name or service not known

工作机：

error@underground ~ $ ssh puppet.local
[email protected]'s password: 

但是我可以在网络上看到它：（地下是我工作的主机）

error@underground ~ $ avahi-browse -at
+    br0 IPv4 puppet                                        SSH Remote Terminal  local
+    br0 IPv4 nagios                                        SSH Remote Terminal  local
+    br0 IPv4 puppet [52:54:00:d0:31:c7]                    Workstation          local
+    br0 IPv4 nagios [52:54:00:93:ec:af]                    Workstation          local
+    br0 IPv4 underground [6c:62:6d:d1:df:ad]               Workstation          local
+ virbr0 IPv4 underground [52:54:00:8e:60:30]               Workstation          local

根据反馈，输出来自getent hosts：

error@underground ~ $ getent hosts nagios.local
error@underground ~ $ getent hosts puppet.local
192.168.12.146  puppet.local

在无法访问的虚拟机 nagios.local 上，avahi-daemon（显然）已安装并正在运行，我在防火墙上打了一个适当的洞：

 pkts bytes target     prot opt in     out     source               destination
   74 15950 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         state NEW udp dpt:5353 

nagios.local 上的系统日志让我完全不知道可能发生了什么：

Jul 18 04:24:18 nagios avahi-daemon[1384]: Leaving mDNS multicast group on interface eth0.IPv4 with address 192.168.12.132.
Jul 18 04:24:18 nagios avahi-daemon[1476]: Found user 'avahi' (UID 70) and group 'avahi' (GID 70).
Jul 18 04:24:18 nagios avahi-daemon[1476]: Successfully dropped root privileges.
Jul 18 04:24:18 nagios avahi-daemon[1476]: avahi-daemon 0.6.25 starting up.
Jul 18 04:24:18 nagios avahi-daemon[1476]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Jul 18 04:24:18 nagios avahi-daemon[1476]: Successfully called chroot().
Jul 18 04:24:18 nagios avahi-daemon[1476]: Successfully dropped remaining capabilities.
Jul 18 04:24:18 nagios avahi-daemon[1476]: Loading service file /services/ssh.service.
Jul 18 04:24:18 nagios avahi-daemon[1476]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.12.132.
Jul 18 04:24:18 nagios avahi-daemon[1476]: New relevant interface eth0.IPv4 for mDNS.
Jul 18 04:24:18 nagios avahi-daemon[1476]: Network interface enumeration completed.
Jul 18 04:24:18 nagios avahi-daemon[1476]: Registering new address record for 2001:db8:1600:80bf:5054:ff:fe93:ecaf on eth0.*.
Jul 18 04:24:18 nagios avahi-daemon[1476]: Registering new address record for 192.168.12.132 on eth0.IPv4.
Jul 18 04:24:18 nagios avahi-daemon[1476]: Registering HINFO record with values 'X86_64'/'LINUX'.
Jul 18 04:24:19 nagios avahi-daemon[1476]: Server startup complete. Host name is nagios.local. Local service cookie is 3129794608.
Jul 18 04:24:19 nagios avahi-daemon[1476]: Service "nagios" (/services/ssh.service) successfully established.

这两个安装之间的主要区别在于 puppet.local 是作为“桌面”安装安装的，而 nagios.local 是作为“最小”安装安装的，并且稍后安装了各种 avahi 相关包。

我不知道为什么我无法解析这台机器的名称。我错过了什么显而易见的事情？

更新：根据mgorven的推荐，我再次检查主机，发现没有nss-mdns安装。所以我安装了它，现在问题正好相反！从主机上看：

error@underground ~ $ getent hosts puppet.local
error@underground ~ $ getent hosts nagios.local
192.168.12.132  nagios.local

在我的 Linux 机器上，我有各种守护进程，它们可以绑定到::. 当他们这样做时，Linux 将 IPv4 请求发送到映射为例如::ffff:198.51.100.37.

相反，我希望在守护程序绑定到::. 要接收 IPv4 连接，我希望守护程序必须显式绑定到0.0.0.0（以及::）。

换句话说，我想专门在 IPv6 而不是 IPv4 上运行服务。

有没有办法做到这一点？

我有一个盒子正在从CentOS 5升级到CentOS 6。在原来的服务器上，所有用户都有MD5密码。升级后的服务器现在使用 SHA-512 密码。

/etc/shadow升级后改过密码且有SHA-512密码的crontab用户可以成功使用，但没有改过密码且仍然有旧MD5密码的用户无法使用crontab。他们收到的错误信息是：

Authentication service cannot retrieve authentication info
You (_username_) are not allowed to access to (crontab) because of pam configuration.

我看过/etc/pam.d/system-auth（你也可以）但我不确定要调整什么以允许尚未更改密码的用户访问 crontab。

我很清楚我可以强制每个人更改他们的密码chage -d 0，并且更改密码的用户将重新获得对 crontab 的访问权限（以及其他任何可能被破坏的内容）但是我有一些用户需要在他们之前编辑他们的 crontab下次登录，并crontab -e -u _username_以 root 用户身份使用也会失败，并出现与上述完全相同的错误。

奇怪的是，这个问题并没有出现在我的开发箱中；就在部署之前，我在暂存箱上遇到过这个问题。使用旧 MD5 密码的开发箱上的用户可以很好地访问 crontab，并且/etc/pam.d/system-auth是相同的。dev 和 staging box 应该是相同的，除了它们的 IP 地址。我怀疑我错过了一些非常明显和愚蠢的东西......

所以我的问题是，如何为尚未更改密码并经过 SHA-512 哈希处理的用户启用对 crontab 的访问权限？或者，我该如何解决这个问题？

我有一个新安装的 Windows Server 2008 R2 SP1 虚拟机，它完全无法访问任何 IPv6 网页，尽管显然具有适当的 IPv6 连接。此外，其他 Linux VM 也无法访问 IPv6 网站。

此设置以前工作正常，在虚拟机中具有完整的 IPv6 连接，并且在没有明显原因的情况下停止工作。

我所有的虚拟机都桥接到物理以太网，并从主机上的 radvd 接收公告。IPv6 在主机上正常工作，主机也是 IPv6 路由器。Wireshark 显示主机在收到 HTTP SYN 数据包后发回 ICMPv6 Destination Unreachable (Administratively prohibited)。

Internet Explorer 报告无法显示该网页，而 Google Chrome 仅显示 Oops！Chrome 无法连接到网页，没有错误编号。

我什至能够 ping 本地网关和 Google 的 IPv6 地址并进行 IPv6 DNS 查找。

PS C:\Users\Administrator> ping -6 fe80::6e62:6dff:fed1:dfad

Pinging fe80::6e62:6dff:fed1:dfad with 32 bytes of data:
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms

Ping statistics for fe80::6e62:6dff:fed1:dfad:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

PS C:\Users\Administrator> ping -6 www.google.com

Pinging www.l.google.com [2001:4860:800a::67] with 32 bytes of data:
Reply from 2001:4860:800a::67: time=43ms
Reply from 2001:4860:800a::67: time=42ms
Reply from 2001:4860:800a::67: time=46ms
Reply from 2001:4860:800a::67: time=42ms

Ping statistics for 2001:4860:800a::67:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 42ms, Maximum = 46ms, Average = 43ms

我的虚拟机配置如下所示：

PS C:\Users\Administrator> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WIN-CRLO5NIQB72
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : local

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : local
   Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
   Physical Address. . . . . . . . . : 52-54-00-DD-DF-3E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:db8:1600:80bf:5054:ff:fedd:df3e(Preferred)
   Link-local IPv6 Address . . . . . : fe80::5054:ff:fedd:df3e%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.12.146(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, July 09, 2012 1:59:42 PM
   Lease Expires . . . . . . . . . . : Tuesday, July 10, 2012 1:59:42 PM
   Default Gateway . . . . . . . . . : fe80::6e62:6dff:fed1:dfad%13
                                       192.168.12.1
   DHCP Server . . . . . . . . . . . : 192.168.12.1
   DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
                                       2001:4860:4860::8844
                                       192.168.12.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : local
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:10d1:317d:3f57:f36d(Preferred)
   Link-local IPv6 Address . . . . . : fe80::10d1:317d:3f57:f36d%12(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

PS C:\Users\Administrator> netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       Manual    256  ::/0                       13  fe80::6e62:6dff:fed1:dfad
No       Manual    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    8    2001::/32                  12  Teredo Tunneling Pseudo-Interface
No       Manual    256  2001:0:4137:9e76:10d1:317d:3f57:f36d/128   12  Teredo Tunneling Pseudo-Interface
No       Manual    8    2001:db8:1600:80bf::/64   13  Local Area Connection 2
No       Manual    256  2001:db8:1600:80bf:5054:ff:fedd:df3e/128   13  Local Area Connection 2
No       Manual    256  fe80::/64                  13  Local Area Connection 2
No       Manual    256  fe80::/64                  12  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::5efe:192.168.12.146/128   11  isatap.local
No       Manual    256  fe80::10d1:317d:3f57:f36d/128   12  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::5054:ff:fedd:df3e/128   13  Local Area Connection 2
No       Manual    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       Manual    256  ff00::/8                   13  Local Area Connection 2
No       Manual    256  ff00::/8                   12  Teredo Tunneling Pseudo-Interface

PS C:\Users\Administrator> netsh interface ipv6 show prefixpolicies
Querying active state...

Precedence  Label  Prefix
----------  -----  --------------------------------
        50      0  ::1/128
        40      1  ::/0
        30      2  2002::/16
        20      3  ::/96
        10      4  ::ffff:0:0/96
         5      5  2001::/32

到目前为止，我在 VM 中尝试过：

netsh interface ipv6 set global randomizeidentifiers=disabled

没变。

禁用 Teredo 适配器：无变化。它以某种方式重新启用。

使用Microsoft Fix-It 优先选择 IPv6 而不是 IPv4：无变化。

到目前为止，我已经在主机上尝试过：

检查 IPv6 转发 sysctl：

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.em1.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sixxs.forwarding = 1
net.ipv6.conf.virbr0.forwarding = 1
net.ipv6.conf.virbr0-nic.forwarding = 1
net.ipv6.conf.vnet0.forwarding = 1
net.ipv6.conf.vnet1.forwarding = 1
net.ipv6.conf.vnet2.forwarding = 1

重新启动 radvd：没有变化。