ufk

Asked: 2021-06-24 11:24:11 +0800 CST

将我的 linux 配置为路由器，如何使用 nftables 启用端口转发？

2

我正在尝试将我的 Gentoo Linux 配置为路由器。

这是我到目前为止的配置。

WAN网卡是enp3s0和LAN网卡是enp1s0f0

接受来自 LAN 的连接到 ICMP、tcp 端口 53、22、80、443、445、5900 和 udp 端口 53、67、68

接受来自 WAN 的 SSH 端口 22 的连接

这些工作很好，我没有做的是创建端口转发。

我正在尝试设置，如果端口 222 上的连接来自 WAN，则将其转发到192.168.1.2端口上具有 ip 地址的机器，22并且此规则不会产生错误，但也不允许我连接。

这是我的配置：

table ip filter {
    chain input {
        type filter hook input priority filter; policy accept;
        ct state { established, related } accept
        iif "lo" accept
        iif "enp1s0f0" tcp dport { 22, 53, 80, 443, 445, 5900 } counter packets 0 bytes 0 log accept
        iif "enp3s0" tcp dport { 22 } counter packets 0 bytes 0 log accept
        iif "enp1s0f0" udp dport { 53, 67, 68 } accept
        iif "enp1s0f0" ip protocol icmp accept
        counter packets 1 bytes 259 drop
    }

    chain output {
        type filter hook output priority filter; policy accept;
        ct state { established, related, new } accept
        iif "lo" accept
    }

    chain forward {
        type filter hook forward priority filter; policy accept;
        iif "enp3s0" oif "enp1s0f0" ct state { established, related } accept
        iif "enp1s0f0" oif "enp3s0" accept
        iif "enp3s0" oif "enp1s0f0" counter packets 0 bytes 0 drop
    }

    chain postrouting {
        type filter hook postrouting priority filter; policy accept;
    }
}
table ip nat {
    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "enp3s0" masquerade
    }

    chain prerouting {
        type nat hook prerouting priority 100; policy accept;
        iif "enp3s0" tcp dport { 222 } dnat to 192.168.1.2:22  ### <- PORT FORWARDING RULE HERE
    }
}

我该如何纠正这个问题？

谢谢你。

ufk

Asked: 2020-08-10 06:00:55 +0800 CST

尝试为任何类型警报的邮件通知配置 icinga2 目录

0

我有用于 icinga2 的 icingaweb2 Web 界面和导演。

我想为我监控的任何主机中的任何类型的警报发送电子邮件通知。

所以我去了 icingaweb2 web 界面，在左侧菜单上我点击Icinga Director->然后Notifications点击Notificationsadd

我实际上添加了两个通知。

一个是我进口mail-host-notification的，另一个是我进口的mail-service-notification。

因此与主机相关的通知是一个脚本，而与服务相关的通知是另一个脚本。

因为我想发送所有类型的通知，所以在Assign where我为服务配置的强制性东西中 -!service.disabled只要它被启用..以及我使用的服务，host.zone == "master"因为我没有任何卫星，所以它们都在相同的区域。

这是正确的方法吗？

我没有找到任何地方来定义将电子邮件发送到哪里。

我检查了脚本，应该调用一个环境变量（我认为）USEREMAIL来定义发送这封电子邮件的位置。我找不到放置它的地方！

所以总结一下..几个问题：

为了提醒来自所有主机的所有类型的通知，我应用了哪些Assign where规则有意义
这是正确配置电子邮件通知的方法吗？
如何设置所需的变量，例如将电子邮件发送到哪里？

非常感谢您

ufk

Asked: 2020-05-06 00:46:15 +0800 CST

如何正确保护我的 ubuntu 服务器上的 postfix 免受洪水和垃圾邮件的影响

1

我想在生产中添加一个电子邮件服务器，我想知道如何尽可能地保护它，并确保电子邮件是合法的并且不会成为垃圾邮件。

linux 发行版是 ubuntu 19.10 电子邮件服务器是 postfix 3.4.5

我使用ufw防火墙。

我做了以下事情，我想知道是否还有其他遗漏。1. 我为我的电子邮件服务器的 dns 配置了 reverse-dns-lookup，它将显示发送电子邮件的服务器的正确 IP 地址。2. "ufw limit 25/tcp" 防止邮件服务器泛滥 3. 我阅读了以下https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/并且启用HELO可能是好的选择。4. 我可以确保只允许从办公室的 vpn ip 从这个服务器发送电子邮件。我用谷歌搜索，仍然没有找到如何做到这一点。

还有什么可能有用的吗？任何有关此问题的信息将不胜感激。

ufk

Asked: 2020-05-04 10:09:08 +0800 CST

使用 icinga 远程代理运行远程检查命令

0

我在 4 台服务器上安装了 icinga v2.11.3-1，其中一台作为主服务器，其余的是代理节点，它们配置正确，因为它们在主机下的 icingaweb2 中可见。

我想要做的是能够在远程代理上运行检查命令。

假设我想监视名为my-server.

所以在主节点中我添加了以下配置：

首先定义主机和区域：

object Host "my-server" {
  import "generic-host"
        address = "my-server-host"
        vars.os = "Linux"
  vars.disks["disk /mnt/data"] = {
    disk_partitions =  "/mnt/data"
  }
  vars.agent_endpoint = name

}

object Endpoint "my-server" {
 host = "my-server"
}

object Zone "my-server" {
 endpoints = ["my-server"]
parent = "master"
}

请注意，我添加了vars.agent_endpoint.

在服务上应用了以下内容disk：

apply Service "disk" {
  check_command = "disk"

  // Check is executed on the remote command endpoint
  command_endpoint = host.vars.agent_endpoint
  zone = host.vars.agent_endpoint
  assign where host.vars.agent_endpoint
}

host.vars.disks这是在 services.conf 配置文件中检查的定义：

apply Service for (disk => config in host.vars.disks) {
  import "generic-service" 
  check_command = "disk"
  vars += config
}

但它仍会检查父节点中的可用空间并显示该结果。

我可能错过了配置中的某些内容，我不知道是什么

关于这个问题的任何想法将不胜感激。

谢谢！

ufk

Asked: 2020-04-23 00:16:52 +0800 CST

让代理节点显示在 icingaweb2 的主节点上

0

我在主节点上安装了 icinga2 和 icingaweb2 我在另外 3 个服务器上安装了 icinga2 作为代理节点。我使用icinga2 node wizard，将它们配置为代理并允许它们连接到主节点。我没有看到任何错误消息，看起来它们已成功连接。

为了让它们在主节点中可见，还需要做些什么吗？

icingaweb2 界面只显示了主节点，其余的都没有显示。

我按照此处的说明配置了代理：https ://icinga.com/docs/icinga2/latest/doc/06-distributed-monitoring/#agentsatellite-setup

我打开了从主机到代理以及从代理到主机的端口 5665。

在 master 中签署证书后，我将在所有节点的 master 日志中收到以下内容

information/ApiListener: New client connection for identity 'NODE_NAME' from [145.239.141.102]:47518 (no Endpoint object found for identity)

我假设我不需要在父节点中手动添加配置.. 但由于我收到此错误，我为每个代理节点添加了以下内容：

object Zone "<HOST-NAME>" {
        endpoints = ["<HOST-NAME>"]
    parent = "master"
}

object Endpoint "<HOST-NAME>" {
        host = "<HOST-NAME>"
}

所以我为所有 3 台带有代理的服务器添加了这个，现在我没有看到任何错误，但它们仍然没有出现在 icingaweb2 界面中。

这是我在 master 上重新启动 icinga2 时的 icinga2 日志：

[2020-04-22 08:12:39 +0000] information/FileLogger: 'main-log' started.
[2020-04-22 08:12:39 +0000] information/ApiListener: 'api' started.
[2020-04-22 08:12:39 +0000] information/ApiListener: Started new listener on '[0.0.0.0]:5665'
[2020-04-22 08:12:39 +0000] information/ApiListener: Reconnecting to endpoint 'AGENT-HOST-03' via host 'AGENT-HOST-03' and port '5665'
[2020-04-22 08:12:39 +0000] information/ApiListener: Reconnecting to endpoint 'AGENT-HOST-02' via host 'AGENT-HOST-02' and port '5665'
[2020-04-22 08:12:39 +0000] information/DbConnection: 'ido-pgsql' started.
[2020-04-22 08:12:39 +0000] information/ApiListener: Reconnecting to endpoint 'AGENT-HOST-01' via host 'AGENT-HOST-01' and port '5665'
[2020-04-22 08:12:39 +0000] information/NotificationComponent: 'notification' started.
[2020-04-22 08:12:39 +0000] information/CheckerComponent: 'checker' started.
[2020-04-22 08:12:39 +0000] information/ConfigItem: Activated all objects.
[2020-04-22 08:12:39 +0000] information/IdoPgsqlConnection: 'ido-pgsql' resumed.
[2020-04-22 08:12:39 +0000] information/DbConnection: Resuming IDO connection: ido-pgsql
[2020-04-22 08:12:39 +0000] information/IdoPgsqlConnection: PGSQL IDO instance id: 1 (schema version: '1.14.3')
[2020-04-22 08:12:39 +0000] information/ApiListener: New client connection for identity 'AGENT-HOST-02' to [51.178.76.91]:5665
[2020-04-22 08:12:39 +0000] information/ApiListener: New client connection for identity 'AGENT-HOST-01' to [51.178.91.176]:5665
[2020-04-22 08:12:39 +0000] information/ApiListener: Sending config updates for endpoint 'AGENT-HOST-02' in zone 'AGENT-HOST-02'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Sending config updates for endpoint 'AGENT-HOST-01' in zone 'AGENT-HOST-01'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished sending config file updates for endpoint 'AGENT-HOST-02' in zone 'AGENT-HOST-02'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished sending config file updates for endpoint 'AGENT-HOST-01' in zone 'AGENT-HOST-01'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Syncing runtime objects to endpoint 'AGENT-HOST-01'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Syncing runtime objects to endpoint 'AGENT-HOST-02'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished syncing runtime objects to endpoint 'AGENT-HOST-01'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished sending runtime config updates for endpoint 'AGENT-HOST-01' in zone 'AGENT-HOST-01'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Sending replay log for endpoint 'AGENT-HOST-01' in zone 'AGENT-HOST-01'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished syncing runtime objects to endpoint 'AGENT-HOST-02'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished sending runtime config updates for endpoint 'AGENT-HOST-02' in zone 'AGENT-HOST-02'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Sending replay log for endpoint 'AGENT-HOST-02' in zone 'AGENT-HOST-02'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished sending replay log for endpoint 'AGENT-HOST-01' in zone 'AGENT-HOST-01'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished syncing endpoint 'AGENT-HOST-01' in zone 'AGENT-HOST-01'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished reconnecting to endpoint 'AGENT-HOST-01' via host 'AGENT-HOST-01' and port '5665'
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished sending replay log for endpoint 'AGENT-HOST-02' in zone 'AGENT-HOST-02'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished syncing endpoint 'AGENT-HOST-02' in zone 'AGENT-HOST-02'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished reconnecting to endpoint 'AGENT-HOST-02' via host 'AGENT-HOST-02' and port '5665'
[2020-04-22 08:12:39 +0000] information/ApiListener: New client connection for identity 'AGENT-HOST-03' to [145.239.141.102]:5665
[2020-04-22 08:12:39 +0000] information/ApiListener: Sending config updates for endpoint 'AGENT-HOST-03' in zone 'AGENT-HOST-03'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished sending config file updates for endpoint 'AGENT-HOST-03' in zone 'AGENT-HOST-03'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Syncing runtime objects to endpoint 'AGENT-HOST-03'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished syncing runtime objects to endpoint 'AGENT-HOST-03'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished sending runtime config updates for endpoint 'AGENT-HOST-03' in zone 'AGENT-HOST-03'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Sending replay log for endpoint 'AGENT-HOST-03' in zone 'AGENT-HOST-03'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished sending replay log for endpoint 'AGENT-HOST-03' in zone 'AGENT-HOST-03'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished syncing endpoint 'AGENT-HOST-03' in zone 'AGENT-HOST-03'.
[2020-04-22 08:12:39 +0000] information/ApiListener: Finished reconnecting to endpoint 'AGENT-HOST-03' via host 'AGENT-HOST-03' and port '5665'
[2020-04-22 08:12:39 +0000] information/IdoPgsqlConnection: Finished reconnecting to 'ido-pgsql' database 'icinga2' in 0.0555351 second(s).
[2020-04-22 08:12:39 +0000] information/JsonRpcConnection: Received certificate request for CN 'AGENT-HOST-01' signed by our CA.
[2020-04-22 08:12:39 +0000] information/JsonRpcConnection: The certificate for CN 'AGENT-HOST-01' is valid and uptodate. Skipping automated renewal.
[2020-04-22 08:12:39 +0000] information/JsonRpcConnection: Received certificate request for CN 'AGENT-HOST-02' signed by our CA.
[2020-04-22 08:12:39 +0000] information/JsonRpcConnection: The certificate for CN 'AGENT-HOST-02' is valid and uptodate. Skipping automated renewal.
[2020-04-22 08:12:39 +0000] information/JsonRpcConnection: Received certificate request for CN 'AGENT-HOST-03' signed by our CA.
[2020-04-22 08:12:39 +0000] information/JsonRpcConnection: The certificate for CN 'AGENT-HOST-03' is valid and uptodate. Skipping automated renewal.
[2020-04-22 08:12:49 +0000] information/WorkQueue: #5 (ApiListener, RelayQueue) items: 0, rate: 0.233333/s (14/min 14/5min 14/15min);
[2020-04-22 08:12:49 +0000] information/WorkQueue: #6 (ApiListener, SyncQueue) items: 0, rate:  0/s (0/min 0/5min 0/15min);
[2020-04-22 08:12:49 +0000] information/WorkQueue: #7 (IdoPgsqlConnection, ido-pgsql) items: 0, rate: 0.25/s (15/min 15/5min 15/15min);

任何有关此问题的信息将不胜感激。

ufk

Asked: 2020-04-08 03:57:31 +0800 CST

将具有 pglogical 复制的第 3 台服务器添加到具有流同步复制的 2 台服务器集群中，并使用赞助人进行故障保护

2

我有 3 台带有 Ubuntu 19.10、PostgreSQL 12.2 和 Patroni 1.6.4 的服务器，我希望进行以下设置：

我想拥有两台具有同步复制的服务器，并且我想添加第三台具有 pglogical 复制的服务器，只是为了接受对特定表的插入。没有 DELETE、TRUNCATE 或其他任何东西。

我每天记录大量购买，大约 3 亿。我希望服务器已经拥有过去 30 天的购买历史记录，并且具有非常大存储空间的第三台服务器将保存所有购买历史记录。

到目前为止，我有一个带有 etcd 的赞助人集群，用于 2 台服务器，配置如下：

这是针对第一台和第二台服务器我有以下配置，当然每个配置中服务器的名称都不同：

scope: patroni_cluster_1
name: server_X

restapi:
  listen: 0.0.0.0:8008
  connect_address: X.X.X.X:8008

etcd:
  hosts: X.X.X.X:2379
  protocol: http

bootstrap:
  dcs:
    ttl: 30
    loop_wait: 10
    retry_timeout : 10
    maximum_lag_on_failover: 1048576
    postgresql:
      use_pg_rewind: true
      use_slots: true
      parameters:
        wal_keep_segments: 100

  initdb:
  - encoding: UTF8
  - data-checksums

  pg_hba:
  - host replication replicator 0.0.0.0/0 md5
  - host all all 0.0.0.0/0 md5

postgresql:
  listen: 0.0.0.0:5432
  connect_address: X.X.X.X:5432
  synchronous_mode: true
  synchronous_mode_strict: false
  data_dir: /var/lib/postgresql/patroni_cluster_1/server_X/data
  bin_dir: /usr/lib/postgresql/12/bin
  authentication:
    replication:
      username: replicator
      password: XXXX
    superuser:
      username: postgres
      password: XXXX
  parameters:
    shared_preload_libraries: pglogical

我将 pglogical 添加为共享库，因为我想知道是否可以使用 Patroni 完全设置第三台服务器。

我阅读了有关如何使用https://blog.dbi-services.com/postgresql-logical-replication-with-pglogical/设置 pglogical 的信息，我想知道我是否可以使用 pglogical 完全配置第三台服务器以仅用于插入。

我是 Patroni 的新手，我很迷茫，所以关于这个问题的任何信息都将不胜感激。

ufk

Asked: 2016-09-24 15:37:39 +0800 CST

带有 etcd2-tls 的 kubelet 服务无法连接到 127.0.0.1:8080 - getsockopt：连接被拒绝

0

我安装了 CoreOS stable v1122.2.0。

我已经用 tls 配置了 etcd2 并且工作正常。我基于https://github.com/coreos/etcd/tree/master/hack/tls-setup使用我为我的服务器创建的子域而不是特定的 IP 地址创建了证书，以使 calico tls 工作。

etcd2 和 calcio-node 已配置并正常工作。现在我想配置 Kubernetes。我使用了https://coreos.com/kubernetes/docs/latest/deploy-master.html上的说明，现在我只配置了一个 coreos 服务器。

当我启动 kubelet 并执行时，journalctl -f -u kubelet我收到以下消息：

 Sep 23 23:30:11 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:11.495381    1473 reflector.go:205] pkg/kubelet/kubelet.go:286: Failed to list *api.Node: Get http://127.0.0.1:8080/api/v1/nodes?fieldSelector=metadata.name%3Dcoreos-2.tux-in.com&resourceVersion=0: dial tcp 127.0.0.1:8080: getsockopt: connection refused
 Sep 23 23:30:11 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:11.889187    1473 reflector.go:205] pkg/kubelet/kubelet.go:267: Failed to list *api.Service: Get http://127.0.0.1:8080/api/v1/services?resourceVersion=0: dial tcp 127.0.0.1:8080: getsockopt: connection refused
 Sep 23 23:30:12 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:12.292061    1473 reflector.go:205] pkg/kubelet/config/apiserver.go:43: Failed to list *api.Pod: Get http://127.0.0.1:8080/api/v1/pods?fieldSelector=spec.nodeName%3Dcoreos-2.tux-in.com&resourceVersion=0: dial tcp 127.0.0.1:8080: getsockopt: connection refused
 Sep 23 23:30:12 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:12.307222    1473 event.go:207] Unable to write event: 'Post http://127.0.0.1:8080/api/v1/namespaces/default/events: dial tcp 127.0.0.1:8080: getsockopt: connection refused' (may retry after sleeping)
 Sep 23 23:30:12 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:12.495982    1473 reflector.go:205] pkg/kubelet/kubelet.go:286: Failed to list *api.Node: Get http://127.0.0.1:8080/api/v1/nodes?fieldSelector=metadata.name%3Dcoreos-2.tux-in.com&resourceVersion=0: dial tcp 127.0.0.1:8080: getsockopt: connection refused
 Sep 23 23:30:12 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:12.889756    1473 reflector.go:205] pkg/kubelet/kubelet.go:267: Failed to list *api.Service: Get http://127.0.0.1:8080/api/v1/services?resourceVersion=0: dial tcp 127.0.0.1:8080: getsockopt: connection refused
 Sep 23 23:30:13 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:13.292671    1473 reflector.go:205] pkg/kubelet/config/apiserver.go:43: Failed to list *api.Pod: Get http://127.0.0.1:8080/api/v1/pods?fieldSelector=spec.nodeName%3Dcoreos-2.tux-in.com&resourceVersion=0: dial tcp 127.0.0.1:8080: getsockopt: connection refused
 Sep 23 23:30:13 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:13.496732    1473 reflector.go:205] pkg/kubelet/kubelet.go:286: Failed to list *api.Node: Get http://127.0.0.1:8080/api/v1/nodes?fieldSelector=metadata.name%3Dcoreos-2.tux-in.com&resourceVersion=0: dial tcp 127.0.0.1:8080: getsockopt: connection refused
 Sep 23 23:30:13 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:13.589335    1473 kubelet.go:1938] Failed creating a mirror pod for "kube-apiserver-coreos-2.tux-in.com_kube-system(9b41319800532574b4c4ac760c920bee)": Post http://127.0.0.1:8080/api/v1/namespaces/kube-system/pods: dial tcp 127.0.0.1:8080: getsockopt: connection refused
 Sep 23 23:30:13 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:13.890294    1473 reflector.go:205] pkg/kubelet/kubelet.go:267: Failed to list *api.Service: Get http://127.0.0.1:8080/api/v1/services?resourceVersion=0: dial tcp 127.0.0.1:8080: getsockopt: connection refused
 Sep 23 23:30:13 coreos-2.tux-in.com kubelet-wrapper[1473]: I0923 23:30:13.979257    1473 docker_manager.go:2289] checking backoff for container "kube-apiserver" in pod "kube-apiserver-coreos-2.tux-in.com"
 Sep 23 23:30:13 coreos-2.tux-in.com kubelet-wrapper[1473]: I0923 23:30:13.980071    1473 docker_manager.go:2303] Back-off 2m40s restarting failed container=kube-apiserver pod=kube-apiserver-coreos-2.tux-in.com_kube-system(9b41319800532574b4c4ac760c920bee)
 Sep 23 23:30:13 coreos-2.tux-in.com kubelet-wrapper[1473]: E0923 23:30:13.980144    1473 pod_workers.go:183] Error syncing pod 9b41319800532574b4c4ac760c920bee, skipping: failed to "StartContainer" for "kube-apiserver" with CrashLoopBackOff: "Back-off 2m40s restarting failed container=kube-apiserver pod=kube-apiserver-coreos-2.tux-in.com_kube-system(9b41319800532574b4c4ac760c920bee)"

这是我的/var/lib/coreos-install/user_data文件：

 #cloud-config

 hostname: "coreos-2.tux-in.com"
 write_files:
  - path: "/etc/ssl/etcd/ca.pem"
    permissions: "0666"
    owner: "etcd:etcd"
    content: |
     ...
  - path: "/etc/ssl/etcd/etcd1.pem"
    permissions: "0666"
    owner: "etcd:etcd"
    content: |
     ...
  - path: "/etc/ssl/etcd/etcd1-key.pem"
    permissions: "0666"
    owner: "etcd:etcd"
    content: |
     ...
  - path: "/etc/kubernetes/ssl/ca.pem"
    permissions: "0600"
    owner: "root:root"
    content: |
     ...
  - path: "/etc/kubernetes/ssl/apiserver.pem"
    permissions: "0600"
    owner: "root:root"
    content: |
     ...
  - path: "/etc/kubernetes/ssl/apiserver-key.pem"
    permissions: "0600"
    owner: "root:root"
    content: |
     ...
  - path: "/etc/kubernetes/cni/net.d/10-calico.conf"
    content: |
      {
          "name": "calico",
          "type": "flannel",
          "delegate": {
              "type": "calico",
              "etcd_endpoints": "https://coreos-2.tux-in.com:2379",
              "log_level": "none",
              "log_level_stderr": "info",
              "hostname": "coreos-2.tux-in.com",
              "policy": {
                  "type": "k8s",
                  "k8s_api_root": "http://127.0.0.1:8080/api/v1/"
              }
          }
      }
  - path: "/etc/kubernetes/manifests/policy-controller.yaml"
    content: |
     apiVersion: v1
      kind: Pod
      metadata:
        name: calico-policy-controller
        namespace: calico-system
      spec:
        hostNetwork: true
        containers:
          # The Calico policy controller.
          - name: k8s-policy-controller
            image: calico/kube-policy-controller:v0.2.0
            env:
              - name: ETCD_ENDPOINTS
                value: "https://coreos-2.tux-in.com:2379"
              - name: K8S_API
                value: "http://127.0.0.1:8080"
              - name: LEADER_ELECTION
                value: "true"
          # Leader election container used by the policy controller.
          - name: leader-elector
            image: quay.io/calico/leader-elector:v0.1.0
            imagePullPolicy: IfNotPresent
            args:
              - "--election=calico-policy-election"
              - "--election-namespace=calico-system"
              - "--http=127.0.0.1:4040"
  - path: "/etc/kubernetes/manifests/kube-scheduler.yaml"
    content: |
      apiVersion: v1
      kind: Pod
      metadata:
        name: kube-scheduler
        namespace: kube-system
      spec:
        hostNetwork: true
        containers:
        - name: kube-scheduler
          image: quay.io/coreos/hyperkube:v1.3.6_coreos.0
          command:
          - /hyperkube
          - scheduler
          - --master=http://127.0.0.1:8080
          - --leader-elect=true
          livenessProbe:
            httpGet:
              host: 127.0.0.1
              path: /healthz
              port: 10251
            initialDelaySeconds: 15
            timeoutSeconds: 1
  - path: "/etc/kubernetes/manifests/kube-controller-manager.yaml"
    content: |
      apiVersion: v1
      kind: Pod
      metadata:
        name: kube-controller-manager
        namespace: kube-system
      spec:
        hostNetwork: true
        containers:
        - name: kube-controller-manager
          image: quay.io/coreos/hyperkube:v1.3.6_coreos.0
          command:
          - /hyperkube
          - controller-manager
          - --master=http://127.0.0.1:8080
          - --leader-elect=true
          - --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
          - --root-ca-file=/etc/kubernetes/ssl/ca.pem
          livenessProbe:
            httpGet:
              host: 127.0.0.1
              path: /healthz
              port: 10252
            initialDelaySeconds: 15
            timeoutSeconds: 1
          volumeMounts:
          - mountPath: /etc/kubernetes/ssl
            name: ssl-certs-kubernetes
            readOnly: true
          - mountPath: /etc/ssl/certs
            name: ssl-certs-host
            readOnly: true
        volumes:
        - hostPath:
            path: /etc/kubernetes/ssl
          name: ssl-certs-kubernetes
        - hostPath:
            path: /usr/share/ca-certificates
          name: ssl-certs-host
  - path: "/etc/kubernetes/manifests/kube-proxy.yaml"
    content: |
      apiVersion: v1
      kind: Pod
      metadata:
        name: kube-proxy
        namespace: kube-system
      spec:
        hostNetwork: true
        containers:
        - name: kube-proxy
          image: quay.io/coreos/hyperkube:v1.3.6_coreos.0
          command:
          - /hyperkube
          - proxy
          - --master=http://127.0.0.1:8080
          - --proxy-mode=iptables
          securityContext:
            privileged: true
          volumeMounts:
          - mountPath: /etc/ssl/certs
            name: ssl-certs-host
            readOnly: true
        volumes:
        - hostPath:
            path: /usr/share/ca-certificates
          name: ssl-certs-host
  - path: "/etc/kubernetes/manifests/kube-apiserver.yaml"
    content: |
      apiVersion: v1
      kind: Pod
      metadata:
        name: kube-apiserver
        namespace: kube-system
      spec:
        hostNetwork: true
        containers:
        - name: kube-apiserver
          image: quay.io/coreos/hyperkube:v1.3.6_coreos.0
          command:
          - /hyperkube
          - apiserver
          - --bind-address=0.0.0.0
          - --etcd-servers=https://coreos-2.tux-in.com:2379
          - --allow-privileged=true
          - --service-cluster-ip-range=10.0.0.0/24
          - --secure-port=443
          - --advertise-address=coreos-2.tux-in.com
          - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
          - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
          - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
          - --client-ca-file=/etc/kubernetes/ssl/ca.pem
          - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
          - --runtime-config=extensions/v1beta1=true,extensions/v1beta1/networkpolicies=true
          ports:
          - containerPort: 443
            hostPort: 443
            name: https
          - containerPort: 8080
            hostPort: 8080
            name: local
          volumeMounts:
          - mountPath: /etc/kubernetes/ssl
            name: ssl-certs-kubernetes
            readOnly: true
          - mountPath: /etc/ssl/certs
            name: ssl-certs-host
            readOnly: true
        volumes:
        - hostPath:
            path: /etc/kubernetes/ssl
          name: ssl-certs-kubernetes
        - hostPath:
            path: /usr/share/ca-certificates
          name: ssl-certs-host
 ssh_authorized_keys:
          - ...
 coreos:
   etcd2:
     # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
     # specify the initial size of your cluster with ?size=X
     discovery: ...
     advertise-client-urls: https://coreos-2.tux-in.com:2379,https://coreos-2.tux-in.com:4001
     initial-advertise-peer-urls: https://coreos-2.tux-in.com:2380
     # listen on both the official ports and the legacy ports
     # legacy ports can be omitted if your application doesn't depend on them
     listen-client-urls: https://0.0.0.0:2379,https://0.0.0.0:4001
     listen-peer-urls: https://coreos-2.tux-in.com:2380
   flannel:
     etcd_endpoints: "https://coreos-2.tux-in.com:2379"
     etcd_cafile: /etc/ssl/etcd/ca.pem
     etcd_certfile: /etc/ssl/etcd/etcd1.pem
     etcd_keyfile: /etc/ssl/etcd/etcd1-key.pem
   update:
     reboot-strategy: etcd-lock
   units:
     - name: 00-enp4s0.network
       runtime: true
       content: |
        [Match]
        Name=enp4s0

        [Network]
        Address=10.79.218.2/24
        Gateway=10.79.218.232
        DNS=8.8.8.8
     - name: var-lib-rkt.mount
       enable: true
       command: start
       content: |
         [Mount]
         What=/dev/disk/by-uuid/daca9515-5040-4f1d-ac0b-b69de3b91343
         Where=/var/lib/rkt
         Type=btrfs
         Options=loop,discard
     - name: etcd2.service
       command: start
       drop-ins:
        - name: 30-certs.conf
          content: |
           [Service]
           Environment="ETCD_CERT_FILE=/etc/ssl/etcd/etcd1.pem"
           Environment="ETCD_KEY_FILE=/etc/ssl/etcd/etcd1-key.pem"
           Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
           Environment="ETCD_CLIENT_CERT_AUTH=true"
           Environment="ETCD_PEER_CERT_FILE=/etc/ssl/etcd/etcd1.pem"
           Environment="ETCD_PEER_KEY_FILE=/etc/ssl/etcd/etcd1-key.pem"
           Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
           Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
     - name: flanneld.service
       command: start
       drop-ins:
        - name: 50-network-config.conf
          content: |
           [Service]
           ExecStartPre=/usr/bin/etcdctl --ca-file=/etc/ssl/etcd/ca.pem --cert-file=/etc/ssl/etcd/etcd1.pem --key-file=/etc/ssl/etcd/etcd1-key.pem --endpoint=https://coreos-2.tux-in.com:2379 set /coreos.com/network/config '{"Network":"10.1.0.0/16", "Backend": {"Type": "vxlan"}}'
     - name: calico-node.service
       command: start
       content: |
        [Unit]
        Description=Calico per-host agent
        Requires=network-online.target
        After=network-online.target

        [Service]
        Slice=machine.slice
        Environment=CALICO_DISABLE_FILE_LOGGING=true
        Environment=HOSTNAME=coreos-2.tux-in.com
        Environment=IP=10.79.218.2
        Environment=FELIX_FELIXHOSTNAME=coreos-2.tux-in.com
        Environment=CALICO_NETWORKING=false
        Environment=NO_DEFAULT_POOLS=true
        Environment=ETCD_ENDPOINTS=https://coreos-2.tux-in.com:2379
        Environment=ETCD_AUTHORITY=coreos-2.tux-in.com:2379
        Environment=ETCD_SCHEME=https
        Environment=ETCD_CA_CERT_FILE=/etc/ssl/etcd/ca.pem
        Environment=ETCD_CERT_FILE=/etc/ssl/etcd/etcd1.pem
        Environment=ETCD_KEY_FILE=/etc/ssl/etcd/etcd1-key.pem
        ExecStart=/usr/bin/rkt run --volume=resolv-conf,kind=host,source=/etc/resolv.conf,readOnly=true \
        --volume=etcd-tls-certs,kind=host,source=/etc/ssl/etcd,readOnly=true --inherit-env --stage1-from-dir=stage1-fly.aci \
        --volume=modules,kind=host,source=/lib/modules,readOnly=false \
        --mount=volume=modules,target=/lib/modules \
        --trust-keys-from-https quay.io/calico/node:v0.19.0 \
        --mount=volume=etcd-tls-certs,target=/etc/ssl/etcd \
        --mount=volume=resolv-conf,target=/etc/resolv.conf

        KillMode=mixed
        Restart=always
        TimeoutStartSec=0

        [Install]
        WantedBy=multi-user.target
     - name: kubelet.service
       command: start
       content: |
        [Service]
        ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/usr/bin/mkdir -p /var/log/containers

        Environment=KUBELET_VERSION=v1.3.7_coreos.0
        Environment="RKT_OPTS=--volume var-log,kind=host,source=/var/log \
          --mount volume=var-log,target=/var/log \
          --volume dns,kind=host,source=/etc/resolv.conf \
          --mount volume=dns,target=/etc/resolv.conf"

        ExecStart=/usr/lib/coreos/kubelet-wrapper \
          --api-servers=http://127.0.0.1:8080 \
          --network-plugin-dir=/etc/kubernetes/cni/net.d \
          --network-plugin=cni \
          --register-schedulable=false \
          --allow-privileged=true \
          --config=/etc/kubernetes/manifests \
          --hostname-override=coreos-2.tux-in.com \
          --cluster-dns=8.8.8.8 \
          --cluster-domain=tux-in.com
        Restart=always
        RestartSec=10
        [Install]
        WantedBy=multi-user.target

127.0.0.1:8080应该由 kubelet-apiserver 打开吗？我在这里想念什么？

谢谢！

ufk

Asked: 2016-09-15 11:50:17 +0800 CST

在 coreos 上运行 calico rkt 容器时出现“EtcdException：无法获取服务器列表”

1

我有两台coreos stable v1122.2.0机器，每台都配置了tls的etcd2。

我使用https://github.com/coreos/etcd/tree/master/hack/tls-setup创建了证书。

现在我正在尝试配置 calico-node 以使用 rkt 在我的 coreos 主节点上运行。

我在 cloud-config 配置中有以下内容：

write_files:
 - path: "/etc/kubernetes/cni/net.d/10-calico.conf"
   content: |
     {
     "name": "calico",
     "type": "flannel",
     "delegate": {
         "type": "calico",
         "etcd_endpoints": "https://10.79.218.2:2379,https://10.79.218.3:2379",
         "log_level": "none",
         "log_level_stderr": "info",
         "hostname": "10.79.218.2",
         "policy": {
             "type": "k8s",
             "k8s_api_root": "http://127.0.0.1:8080/api/v1/"
             }
         }
     }
 - path: "/etc/kubernetes/manifests/policy-controller.yaml"
   content: |
    apiVersion: v1
     kind: Pod
     metadata:
       name: calico-policy-controller
       namespace: calico-system
     spec:
       hostNetwork: true
       containers:
         # The Calico policy controller.
         - name: k8s-policy-controller
           image: calico/kube-policy-controller:v0.2.0
           env:
             - name: ETCD_ENDPOINTS
               value: "https://10.79.218.2:2379,https://10.79.218.3:2379"
             - name: K8S_API
               value: "http://127.0.0.1:8080"
             - name: LEADER_ELECTION
               value: "true"
         # Leader election container used by the policy controller.
         - name: leader-elector
           image: quay.io/calico/leader-elector:v0.1.0
           imagePullPolicy: IfNotPresent
           args:
             - "--election=calico-policy-election"
             - "--election-namespace=calico-system"
             - "--http=127.0.0.1:4040"
...
units:
 - name: calico-node.service
   enable: true
   command: start
   content: |
    [Unit]
    Description=Calico per-host agent
    Requires=network-online.target
    After=network-online.target

    [Service]
    Slice=machine.slice
    Environment=CALICO_DISABLE_FILE_LOGGING=true
    Environment=HOSTNAME=10.79.218.2
    Environment=IP=10.79.218.2
    Environment=FELIX_FELIXHOSTNAME=10.79.218.2
    Environment=CALICO_NETWORKING=false
    Environment=NO_DEFAULT_POOLS=true
    Environment=ETCD_ENDPOINTS=https://10.79.218.2:2379,https://10.79.218.3:2379
    ExecStart=/usr/bin/rkt run --inherit-env --stage1-from-dir=stage1-fly.aci \
   --volume=modules,kind=host,source=/lib/modules,readOnly=false \
   --mount=volume=modules,target=/lib/modules \
   --trust-keys-from-https quay.io/calico/node:v0.19.0

   KillMode=mixed
   Restart=always
   TimeoutStartSec=0

   [Install]
   WantedBy=multi-user.target

请忽略空格缩进..我认为我没有正确复制/粘贴它:)

当我尝试启动 calico-node 服务时，出现以下错误：

Sep 14 05:45:17 localhost systemd[1]: Started Calico per-host agent.
Sep 14 05:45:17 localhost rkt[1644]: image: using image from file /usr/lib64/rkt/stage1-images/stage1-fly.aci
Sep 14 05:45:18 localhost rkt[1644]: image: using image from local store for image name quay.io/calico/node:v0.19.0
Sep 14 05:45:25 localhost rkt[1644]: Traceback (most recent call last):
Sep 14 05:45:25 localhost rkt[1644]:   File "startup.py", line 292, in <module>
Sep 14 05:45:25 localhost rkt[1644]:     client = IPAMClient()
Sep 14 05:45:25 localhost rkt[1644]:   File "/usr/lib/python2.7/site-packages/pycalico/datastore.py", line 228, in __init__
Sep 14 05:45:25 localhost rkt[1644]:     "%s" % (ETCD_CA_CERT_FILE_ENV, etcd_ca))
Sep 14 05:45:25 localhost rkt[1644]: pycalico.datastore_errors.DataStoreError: Invalid ETCD_CA_CERT_FILE. Certificate Authority cert is required and m
Sep 14 05:45:25 localhost rkt[1644]: Calico node failed to start
Sep 14 05:45:25 localhost systemd[1]: calico-node.service: Main process exited, code=exited, status=1/FAILURE
Sep 14 05:45:25 localhost systemd[1]: calico-node.service: Unit entered failed state.
Sep 14 05:45:25 localhost systemd[1]: calico-node.service: Failed with result 'exit-code'.
Sep 14 05:45:25 localhost systemd[1]: calico-node.service: Service hold-off time over, scheduling restart.
Sep 14 05:45:25 localhost systemd[1]: Stopped Calico per-host agent.
Sep 14 05:45:25 localhost systemd[1]: Started Calico per-host agent.
Sep 14 05:45:25 localhost rkt[1714]: image: using image from file /usr/lib64/rkt/stage1-images/stage1-fly.aci
Sep 14 05:45:26 localhost rkt[1714]: image: using image from local store for image name quay.io/calico/node:v0.19.0
Sep 14 05:45:28 localhost rkt[1714]: Traceback (most recent call last):
Sep 14 05:45:28 localhost rkt[1714]:   File "startup.py", line 292, in <module>
Sep 14 05:45:28 localhost rkt[1714]:     client = IPAMClient()
Sep 14 05:45:28 localhost rkt[1714]:   File "/usr/lib/python2.7/site-packages/pycalico/datastore.py", line 228, in __init__
Sep 14 05:45:28 localhost rkt[1714]:     "%s" % (ETCD_CA_CERT_FILE_ENV, etcd_ca))
Sep 14 05:45:28 localhost rkt[1714]: pycalico.datastore_errors.DataStoreError: Invalid ETCD_CA_CERT_FILE. Certificate Authority cert is required and m

第 2-25 行

所以我明白了Invalid ETCD_CA_CERT_FILE.。我并没有真正向 calico 指定要使用的键..所以我想我缺少一些配置。

我在 /etc/ssl/etcd 有以下等相关的键

8 -rw-------. 1 etcd etcd 1050 Sep 14 05:45 ca.pem
8 -rw-------. 1 etcd etcd  289 Sep 14 05:45 etcd1-key.pem
8 -rw-------. 1 etcd etcd 1058 Sep 14 05:45 etcd1.pem
8 -rw-------. 1 etcd etcd  227 Sep 12 03:49 server1-key.pem
8 -rw-------. 1 etcd etcd  822 Sep 12 03:49 server1.pem

我尝试添加Environment=ETCD_CA_CERT_FILE=/etc/ssl/etcd/ca.pem到 calico-node systemd 文件，但得到完全相同的结果。

有任何想法吗？

更新

所以我尝试手动运行 calico，而不是使用 systemd。我还添加了 calico 所需的所有环境变量

export CALICO_DISABLE_FILE_LOGGING=true
export HOSTNAME=10.79.218.2
export IP=10.79.218.2
export FELIX_FELIXHOSTNAME=10.79.218.2
export CALICO_NETWORKING=false
export NO_DEFAULT_POOLS=true
export ETCD_ENDPOINTS=https://10.79.218.2:2379,https://10.79.218.3:2379
export ETCD_AUTHORITY=10.79.218.2:2379
export ETCD_SCHEME=https
export ETCD_CA_CERT_FILE=/etc/ssl/etcd/ca.pem
export ETCD_CERT_FILE=/etc/ssl/etcd/etcd1.pem
export ETCD_KEY_FILE=/etc/ssl/etcd/etcd1-key.pem

当我尝试使用以下命令执行印花布容器时：

/usr/bin/rkt run --inherit-env --stage1-from-dir=stage1-fly.aci \
 --volume=modules,kind=host,source=/lib/modules,readOnly=false \
 --mount=volume=modules,target=/lib/modules \
 --trust-keys-from-https quay.io/calico/node:v0.19.0

我明白了

image: using image from file /usr/lib64/rkt/stage1-images/stage1-fly.aci
image: using image from local store for image name quay.io/calico/node:v0.19.0
Traceback (most recent call last):
  File "startup.py", line 292, in <module>
   client = IPAMClient()
  File "/usr/lib/python2.7/site-packages/pycalico/datastore.py", line 221, in __init__
    ETCD_CERT_FILE_ENV, etcd_cert))
pycalico.datastore_errors.DataStoreError: Cannot read ETCD_KEY_FILE and/or ETCD_CERT_FILE. Both must be readable file paths. Values provided: ETCD_KEY_FILE=/etc/ssl/etcd/etcd1-key.pem, ETCD_CERT_FILE=/etc/ssl/etcd/etcd1.pem

我将证书文件的文件权限更改为 666，但这并不能解决问题。而且我知道这些证书是有效的，因为 etcd tls 可以正常工作。所以我错过了什么？

更新 2

看来我缺少将证书目录安装在印花布容器上。

所以现在我正在运行印花布容器

/usr/bin/rkt run --volume etcd-ssl,kind=host,source=/etc/ssl/etcd/,readOnly=true --inherit-env --stage1-from-dir=stage1-fly.aci  --volume=modules,kind=host,source=/lib/modules,readOnly=false  --mount=volume=modules,target=/lib/modules  --trust-keys-from-https quay.io/calico/node:v0.19.0 --mount volume=etcd-ssl,target=/etc/ssl/etcd

我得到以下输出：

image: using image from file /usr/lib64/rkt/stage1-images/stage1-fly.aci
image: using image from local store for image name quay.io/calico/node:v0.19.0
Traceback (most recent call last):
  File "startup.py", line 292, in <module>
client = IPAMClient()
  File "/usr/lib/python2.7/site-packages/pycalico/datastore.py", line 246, in __init__
allow_reconnect=True)
  File "/usr/lib/python2.7/site-packages/etcd/client.py", line 204, in __init__
set(self.machines))
  File "/usr/lib/python2.7/site-packages/etcd/client.py", line 299, in machines
return self.machines
  File "/usr/lib/python2.7/site-packages/etcd/client.py", line 301, in machines
    raise etcd.EtcdException("Could not get the list of servers, "
etcd.EtcdException: Could not get the list of servers, maybe you provided the wrong host(s) to connect to?
Calico node failed to start

我有点接近..但仍然没有解决方案。

更新 3

我尝试通过运行将 ETCD_ENDPOINTS 设置为 coreos 机器上的 etcd 服务器export ETCD_ENDPOINTS=https://10.79.218.2:2379，现在当我尝试运行 calico rkt 映像时，我得到：

image: using image from file /usr/lib64/rkt/stage1-images/stage1-fly.aci
image: using image from local store for image name quay.io/calico/node:v0.19.0
Traceback (most recent call last):
  File "startup.py", line 295, in <module>
main()
  File "startup.py", line 251, in main
warn_if_hostname_conflict(ip)
  File "startup.py", line 192, in warn_if_hostname_conflict
current_ipv4, _ = client.get_host_bgp_ips(hostname)
  File "/usr/lib/python2.7/site-packages/pycalico/datastore.py", line 132, in wrapped
"running?" % (fn.__name__, e.message))
pycalico.datastore_errors.DataStoreError: get_host_bgp_ips: Error accessing etcd (Connection to etcd failed due to SSLError(CertificateError("hostname '10.79.218.2' doesn't match u'etcd'",),)).  Is etcd running?
Calico node failed to start

ufk

Asked: 2016-09-11 20:16:41 +0800 CST

为 TLS 配置 etcd2 的问题

2

我家里有两台 CoreOS stable v1122.2.0 机器。他们都在discovery.etcd.io正确注册。（当我浏览到发现 url 时，我看到它们都在https://ip:2380注册）。

第一个服务器是 10.79.218.2，第二个是 10.79.218.3。

我正在尝试为 tls 配置 etcd。所以我创建了所需的证书并为 tls 配置了 etcd2。所有配置（本地 IP 为 10.79.218.2 的第一台服务器）都在 cloud-config.yml 文件中：

 #cloud-config

 write_files:
  - path: "/etc/ssl/etcd/ca.pem"
    permissions: "0600"
    owner: "etcd:etcd"
    content: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
  - path: "/etc/ssl/etcd/server1.pem"
    permissions: "0600"
    owner: "etcd:etcd"
    content: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
  - path: "/etc/ssl/etcd/server1-key.pem"
    permissions: "0600"
    owner: "etcd:etcd"
    content: |
      -----BEGIN EC PRIVATE KEY-----
      ...
      -----END EC PRIVATE KEY-----
  - path: "/etc/kubernetes/cni/net.d/10-calico.conf"
    content: |
      {
          "name": "calico",
          "type": "flannel",
          "delegate": {
              "type": "calico",
              "etcd_endpoints": "https://10.79.218.2:2379,https://10.79.218.3:2379",
              "log_level": "none",
              "log_level_stderr": "info",
              "hostname": "10.79.218.2",
              "policy": {
                  "type": "k8s",
                  "k8s_api_root": "http://127.0.0.1:8080/api/v1/"
              }
          }
      }
  - path: "/etc/kubernetes/manifests/policy-controller.yaml"
    content: |
     apiVersion: v1
      kind: Pod
      metadata:
        name: calico-policy-controller
        namespace: calico-system
      spec:
        hostNetwork: true
        containers:
          # The Calico policy controller.
          - name: k8s-policy-controller
            image: calico/kube-policy-controller:v0.2.0
            env:
              - name: ETCD_ENDPOINTS
                value: "https://10.79.218.2:2379,http://10.79.218.3:2379"
              - name: K8S_API
                value: "http://127.0.0.1:8080"
              - name: LEADER_ELECTION
                value: "true"
          # Leader election container used by the policy controller.
          - name: leader-elector
            image: quay.io/calico/leader-elector:v0.1.0
            imagePullPolicy: IfNotPresent
            args:
              - "--election=calico-policy-election"
              - "--election-namespace=calico-system"
              - "--http=127.0.0.1:4040"

  - path: "/etc/kubernetes/manifests/kube-scheduler.yaml"
    content: |
      apiVersion: v1
      kind: Pod
      metadata:
        name: kube-scheduler
        namespace: kube-system
      spec:
        hostNetwork: true
        containers:
        - name: kube-scheduler
          image: quay.io/coreos/hyperkube:v1.3.6_coreos.0
          command:
          - /hyperkube
          - scheduler
          - --master=http://127.0.0.1:8080
          - --leader-elect=true
          livenessProbe:
            httpGet:
              host: 127.0.0.1
              path: /healthz
              port: 10251
            initialDelaySeconds: 15
            timeoutSeconds: 1
  - path: "/etc/kubernetes/manifests/kube-controller-manager.yaml"
    content: |
      apiVersion: v1
      kind: Pod
      metadata:
        name: kube-controller-manager
        namespace: kube-system
      spec:
        hostNetwork: true
        containers:
        - name: kube-controller-manager
          image: quay.io/coreos/hyperkube:v1.3.6_coreos.0
          command:
          - /hyperkube
          - controller-manager
          - --master=http://127.0.0.1:8080
          - --leader-elect=true
          - --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
          - --root-ca-file=/etc/kubernetes/ssl/ca.pem
          livenessProbe:
            httpGet:
              host: 127.0.0.1
              path: /healthz
              port: 10252
            initialDelaySeconds: 15
            timeoutSeconds: 1
          volumeMounts:
          - mountPath: /etc/kubernetes/ssl
            name: ssl-certs-kubernetes
            readOnly: true
          - mountPath: /etc/ssl/certs
            name: ssl-certs-host
            readOnly: true
        volumes:
        - hostPath:
            path: /etc/kubernetes/ssl
          name: ssl-certs-kubernetes
        - hostPath:
            path: /usr/share/ca-certificates
          name: ssl-certs-host
  - path: "/etc/kubernetes/manifests/kube-proxy.yaml"
    content: |
      apiVersion: v1
      kind: Pod
      metadata:
        name: kube-proxy
        namespace: kube-system
      spec:
        hostNetwork: true
        containers:
        - name: kube-proxy
          image: quay.io/coreos/hyperkube:v1.3.6_coreos.0
          command:
          - /hyperkube
          - proxy
          - --master=http://127.0.0.1:8080
          - --proxy-mode=iptables
          securityContext:
            privileged: true
          volumeMounts:
          - mountPath: /etc/ssl/certs
            name: ssl-certs-host
            readOnly: true
        volumes:
        - hostPath:
            path: /usr/share/ca-certificates
          name: ssl-certs-host
  - path: "/etc/kubernetes/manifests/kube-apiserver.yaml"
    content: |
      apiVersion: v1
      kind: Pod
      metadata:
        name: kube-apiserver
        namespace: kube-system
      spec:
        hostNetwork: true
        containers:
        - name: kube-apiserver
          image: quay.io/coreos/hyperkube:v1.3.6_coreos.0
          command:
          - /hyperkube
          - apiserver
          - --bind-address=0.0.0.0
          - --etcd-servers=https://10.79.218.2:2379,https://10.79.218.3:2379
          - --allow-privileged=true
          - --service-cluster-ip-range=10.0.0.0/24
          - --secure-port=443
          - --advertise-address=10.79.218.2
          - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
          - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
          - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
          - --client-ca-file=/etc/kubernetes/ssl/ca.pem
          - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
          - --runtime-config=extensions/v1beta1=true,extensions/v1beta1/networkpolicies=true
          ports:
          - containerPort: 443
            hostPort: 443
            name: https
          - containerPort: 8080
            hostPort: 8080
            name: local
          volumeMounts:
          - mountPath: /etc/kubernetes/ssl
            name: ssl-certs-kubernetes
            readOnly: true
          - mountPath: /etc/ssl/certs
            name: ssl-certs-host
            readOnly: true
        volumes:
        - hostPath:
            path: /etc/kubernetes/ssl
          name: ssl-certs-kubernetes
        - hostPath:
            path: /usr/share/ca-certificates
          name: ssl-certs-host
  - path: "/etc/flannel/options.env"
    content: |
     FLANNELD_IFACE=10.79.218.2
     FLANNELD_ETCD_ENDPOINTS=https://10.79.218.2:2379,https://10.79.218.3:2379
  - path: "/etc/kubernetes/ssl/ca.pem"
    permissions: "0600"
    owner: "root:root"
    content: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
  - path: "/etc/kubernetes/ssl/apiserver.pem"
    permissions: "0600"
    owner: "root:root"
    content: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
  - path: "/etc/kubernetes/ssl/apiserver-key.pem"
    permissions: "0600"
    owner: "root:root"
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      ...
      -----END RSA PRIVATE KEY-----
 ssh_authorized_keys:
          - "ssh-rsa ... ufk@ufk-osx-music"
 coreos:
   update:
     reboot-strategy: etcd-lock
   etcd2:
     discovery: https://discovery.etcd.io/...
    # multi-region and multi-cloud deployments need to use $public_ipv4
     advertise-client-urls: https://10.79.218.2:2379
     initial-advertise-peer-urls: https://10.79.218.2:2380
     # listen on both the official ports and the legacy ports
     # legacy ports can be omitted if your application doesn't depend on them
     listen-client-urls: https://0.0.0.0:2379
     listen-peer-urls: https://10.79.218.2:2380
   units:
     - name: 00-enp4s0.network
       runtime: true
       content: |
        [Match]
        Name=enp4s0

        [Network]
        Address=10.79.218.2/24
        Gateway=10.79.218.232
        DNS=8.8.8.8
     - name: var-lib-rkt.mount
       enable: true
       command: start
       content: |
         [Mount]
         What=/dev/disk/by-uuid/23cc3284-e121-4448-b755-b74b5a022251
         Where=/var/lib/rkt
         Type=btrfs
         Options=loop,discard
     - name: etcd2.service
       command: start
       drop-ins:
        - name: 30-certs.conf
          content: |
           [Service]
           Environment="ETCD_CERT_FILE=/etc/ssl/etcd/server1.pem"
           Environment="ETCD_KEY_FILE=/etc/ssl/etcd/server1-key.pem"
           Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
           Environment="ETCD_CLIENT_CERT_AUTH=true"
           Environment="ETCD_PEER_CERT_FILE=/etc/ssl/etcd/server1.pem"
           Environment="ETCD_PEER_KEY_FILE=/etc/ssl/etcd/server1-key.pem"
           Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
           Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
     - name: flanneld.service
       command: start
       drop-ins:
        - name: 50-network-config.conf
          content: |
           [Service]
           ExecStartPre=/usr/bin/etcdctl set /coreos.com/network/config '{"Network":"10.1.0.0/16", "Backend": {"Type": "vxlan"}}'
        - name: 40-ExecStartPre-symlink.conf
          content: |
           [Service]
           ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
     - name: kubelet.service
       enable: false
       content: |
        [Service]
        ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests

        Environment=KUBELET_VERSION=v1.3.6_coreos.0
        ExecStart=/usr/lib/coreos/kubelet-wrapper \
           --api-servers=http://127.0.0.1:8080 \
           --network-plugin-dir=/etc/kubernetes/cni/net.d \
           --network-plugin=cni \
           --register-schedulable=false \
           --allow-privileged=true \
           --config=/etc/kubernetes/manifests \
           --hostname-override=10.79.218.2 \
           --cluster-dns=8.8.8.8 \
           --cluster-domain=cluster.local
        Restart=always
        RestartSec=10
        [Install]
        WantedBy=multi-user.target
     - name: calico-node.service
       enable: false
       content: |
        [Unit]
        Description=Calico per-host agent
        Requires=network-online.target
        After=network-online.target

        [Service]
        Slice=machine.slice
        Environment=CALICO_DISABLE_FILE_LOGGING=true
        Environment=HOSTNAME=10.79.218.2
        Environment=IP=${ADVERTISE_IP}
        Environment=FELIX_FELIXHOSTNAME=10.79.218.2
        Environment=CALICO_NETWORKING=false
        Environment=NO_DEFAULT_POOLS=true
        Environment=ETCD_ENDPOINTS=https://10.79.218.2:2379,https://10.79.218.3:2379
        ExecStart=/usr/bin/rkt run --inherit-env --stage1-from-dir=stage1-fly.aci \
        --volume=modules,kind=host,source=/lib/modules,readOnly=false \
        --mount=volume=modules,target=/lib/modules \
        --trust-keys-from-https quay.io/calico/node:v0.19.0

        KillMode=mixed
        Restart=always
        TimeoutStartSec=0

        [Install]
        WantedBy=multi-user.target

我删除了重要的东西（如钥匙）并用...
我已经配置了 kubelet 和 calico，但现在禁用了，直到我启动 etcd2 并使用 tls 运行。

所以我试图etcdctl从我的 mac pro 笔记本电脑上运行以使用命令列出 etcd2 成员（同时连接到同一个本地网络）

./etcdctl --endpoints="https://10.79.218.2:2379,https://10.79.218.3:2379" --key-file="./cfssl/client-key.pem" --cert-file="./cfssl/client.pem" --ca-file="./cfssl/ca.pem"  member list

我得到回应

Try '--no-sync' if you want to access non-published client endpoints(https://10.79.218.2:2379,https://10.79.218.3:2379).
Error:  client: no endpoints available

运行相同的命令，--no-sync结果如下：

Failed to get leader:  client: etcd cluster is unavailable or misconfigured

我按照https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md中的描述创建了证书

我错过了什么？

谢谢

更新

所以我发现了https://github.com/coreos/etcd/tree/master/hack/tls-setup。我使用此脚本重新创建了证书，并使用这些脚本配置了我的 coreos etcd2 服务器。

它创建了以下证书： ca-key.pem ca.csr ca.pem etcd1-key.pem etcd1.csr etcd1.pem etcd2-key.pem etcd2.csr etcd2.pem etcd3-key.pem etcd3.csr etcd3.pem proxy1-key.pem proxy1.csr proxy1.pem

问题是我没有看到任何客户端证书..所以我不太明白要传递哪些证书作为参数让 etcdctl 在我的桌面上工作。有任何想法吗？

更新 2

所以我找到了如何将 etcdctl 与 tls 一起使用 .. 我想。但我仍然得到错误。我执行了以下命令：

/etcdctl --endpoint=https://10.79.218.2:2379 --ca-file=./certs/ca.pem --cert-file=./certs/etcd1.pem --key-file=./certs/etcd1-key.pem --no-sync ls

但我得到了错误

Error:  client: etcd cluster is unavailable or misconfigured
error #0: x509: cannot validate certificate for 10.79.218.2 because it doesn't contain any IP SANs

ufk

Asked: 2016-02-26 02:15:11 +0800 CST

狡猾地在 ubuntu 上增加 mysql 中的 max_connections

0

我在我的服务器上巧妙地安装了 ubuntu。我正在尝试将 mysql 服务器的 max_connections 增加到 1237，但是在运行 mysql 客户端并执行时，show variables like 'max_connections';我得到了 214。

我做了以下事情：

我编辑 /etc/sysctl.conf 并添加fs.file-max = 2459688然后执行sysctl -p。

我编辑了 /etc/security/limit.conf 并添加了以下几行：

*           soft    nofile         4096
*           hard    nofile         4096

然后重新启动。ulimit -a 显示 4096，但 mysql proc 仍然显示软 1024 连接。

这意味着..我执行以下命令：

# cat /var/run/mysqld/mysqld.pid
1099
# cat /proc/1099/limits
Limit                     Soft Limit           Hard Limit           Units
Max cpu time              unlimited            unlimited            seconds
Max file size             unlimited            unlimited            bytes
Max data size             unlimited            unlimited            bytes
Max stack size            8388608              unlimited            bytes
Max core file size        0                    unlimited            bytes
Max resident set          unlimited            unlimited            bytes
Max processes             62891                62891                processes
Max open files            1024                 4096                 files
Max locked memory         65536                65536                bytes
Max address space         unlimited            unlimited            bytes
Max file locks            unlimited            unlimited            locks
Max pending signals       62891                62891                signals
Max msgqueue size         819200               819200               bytes
Max nice priority         0                    0
Max realtime priority     0                    0
Max realtime timeout      unlimited            unlimited            us

有任何想法吗？

ufk

Asked: 2015-10-13 08:28:23 +0800 CST

postfix smtp远程 - 连接超时

0

我在亚马逊的远程服务器上安装了一个 ubuntu 服务器。

我正在尝试允许远程连接根据 ubuntu 系统配置的用户/密码发送电子邮件。意味着我系统中的每个用户都可以使用自己的凭据发送电子邮件。

首先我在亚马逊的防火墙中打开了 25 端口。

然后我配置了以下文件：

后缀中的 master.cf

我添加了以下几行：

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

然后我配置了 dovecot，但在 /etc/dovecot/conf.d/10-auth.conf 添加以下行

disable_plaintext_auth = no
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl=required
ssl_cert = </etc/ssl/certs/mailcert.pem
ssl_key = </etc/ssl/private/mail.key

这是我在帖子中的 main.cf：

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = ip-172-31-42-234.us-west-2.compute.internal
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = tux-in.com, ip-172-31-42-234.us-west-2.compute.internal, localhost.us-west-2.compute.internal, localhost,     myalcoholist.com, myalcohollist.com
virtual_alias_domains = myalcoholist.com myalcohollist.com tux-in.com
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
mailbox_command =
local_recipient_maps = proxy:unix:passwd.byname $alias_maps

好的..到目前为止一切顺利...我已经安装了 dovecot，所以我有一个 imap 和 pop3 服务器，我可以成功检索电子邮件。

现在我想在我的 osx 桌面上配置我的电子邮件客户端，以连接到亚马逊上的 smtp 服务器并发送电子邮件。

我遇到的问题是我无法从外部连接到 smtp 服务器。我尝试远程登录时连接超时。我能够从本地服务器远程登录到端口 25 上的 127.0.0.1。我检查了 inet 接口配置为全部，我确实在亚马逊防火墙上打开了端口 25，所以唯一想到的是出于某种原因，后缀本身会阻止外部连接。

如果后缀阻止外部连接，所以我错过了配置中的某些内容。

我有点迷失在这里..有关此问题的任何信息将不胜感激。

ufk

Asked: 2015-08-13 07:16:10 +0800 CST

根据日志文件中的字符串触发警报

1

我已经在我的 ubuntu linux 服务器上安装了 zabbix 2.4.5。我配置了 2 个远程服务器，让我们调用相关的一个 foo。

我想监视特定文本的日志文件，如果它发现它来提醒我。

所以首先我创建了一个项目

然后我创建了一个触发器：

一般来说，我试图找到带有文本“在以前的游戏对象”中的行

现在当我检查触发器的状态时，我得到“不支持”。

任何想法为什么？

ufk

Asked: 2014-03-19 00:26:45 +0800 CST

如何禁用 mysql 服务器中的所有缓存类型以便对我的查询进行性能测试

2

我正在使用 Mysql Server 5.6.15，并且我有一个包含许多复杂查询的庞大数据库。

似乎当我第一次运行查询时需要 X 时间。

当我再次执行它时，它需要的时间少于 X 时间。这意味着某些东西被缓存了。

我希望能够对我的查询进行性能测试，以便在缓存方面改进它们。

有没有办法禁用 mysql 中的所有缓存类型，以便我正确测试查询的执行时间？

任何有关该问题的信息将不胜感激。

ufk

Asked: 2013-07-16 00:42:43 +0800 CST

访问日志以包含当有人远程登录我的服务器并输入垃圾时的指示

1

我在 ubuntu linux 上安装了 apache 2.2.22 服务器。

我在端口 443 上创建了一个虚拟主机，我希望该端口的所有 telnet 指示都列在访问日志中。

例如，如果我远程登录到端口 443 上的那个端口并且我没有写任何东西，它会在几秒钟后断开我的连接，然后它会在访问日志中显示一个指示。

192.168.1.140 - - [15/Jul/2013:11:40:19 +0300] "-" 408 0 "-" "-"

但是，如果我 telnet 端口 443 并键入一些垃圾文本并断开我的连接，我在访问日志中看不到我尝试连接的指示。

这是我在 apache 配置文件中的访问日志指令：

CustomLog ${APACHE_LOG_DIR}/apache-ssl-access.log combined

我该如何解决这个问题，即使我 telnet 到该端口并输入垃圾，我仍然会看到有人试图连接的迹象？

我启用了 reqtimeout 模块。

谢谢你。

ufk

Asked: 2013-05-02 05:12:12 +0800 CST

获取通过 http 传递的 https 加密数据

0

我正在尝试将 tomcat 配置为使用 https 端口 8443。

使用 tomcat 7.

我使用以下参数启用了 https 连接器：

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" keystorePass="<pass>"
           maxThreads="150" scheme="https" secure="true" keystoreFile="${catalina.base}/foo/bar.keystore"
           clientAuth="false" sslProtocol="TLS" />

我用密码和所需的域创建了一个密钥库。

当我启动 tomcat 并使用端口 8443 浏览管理面板或我的 jsp 页面时，我得到了乱七八糟的不明数据。这意味着我得到了通过 http 传递的 https 加密数据。当我在端口 8080 上浏览时，我可以正确地看到它。我错过了什么？

谢谢你！

杉木

更新

我在 server.xml 中有这个配置

  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

我在日志中有这个：

May 02, 2013 5:57:45 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/package

所以也许这就是问题所在。

这只是一个信息，所以我忽略了它。但可能是因为缺少 APR，SSLEngine 无法正常工作。

我有 gentoo linux 并且安装了 APR 包我不知道为什么它没有检测到它。

ufk

Asked: 2013-01-02 06:35:34 +0800 CST

从机器a rsync到机器c

1

我有 gentoo Linux。

我想 RSync 到一台需要 SSH 两次才能进入的远程机器。

我怎样才能在一个命令中做到这一点？

我曾经用一个命令来做到这一点，但我忘记了怎么做！

我曾经在没有端口转发的情况下这样做。

我以某种方式将 ssh 详细信息保存在某个文件中，但我忘记了我到底做了什么。

有任何想法吗？

ufk

Asked: 2010-02-24 06:11:42 +0800 CST

我可以从 IP 地址找到网络托管公司吗？

12

如果我有一个 IP 地址，有没有办法找到这个 IP 地址所属的网络托管服务？

我尝试使用 whois 和 traceroute 但到目前为止没有运气。

案例是我的朋友几年前购买了一个域和存储空间，但他不记得他从哪里购买了存储空间。

ufk

Asked: 2010-01-27 03:12:20 +0800 CST

apache2-worker + cgi-perl vs apache2-prefork + mod_perl - 哪个更快？什么需要更少的资源？

2

喂。我，使用 Gentoo linux。似乎我无法使用线程 apache2 出现/安装 mod_perl，所以我想知道将 apache2 的 worker 模块与 cgi-perl 一起使用以及将 apache2 的 prefork 模块与 mod_perl 一起使用的优缺点是什么

什么更快？什么需要更少的资源？安全方面，有什么区别吗？

谢谢！

ufk

Asked: 2010-01-19 04:32:38 +0800 CST

linux：一个apache两个php版本。可能的？

7

似乎我的一些 php 应用程序需要 php 5.2，而有些需要 php 5.3。有没有办法配置 apache (v2.2.14) 一个虚拟主机将与一个 php 库一起使用，而不同的虚拟主机将需要不同的虚拟主机？

目前我发现的唯一解决方案是安装两个 apache 和两个 php，每个 apache 都将驻留在不同的端口中。

谢谢

ufk

Asked: 2009-10-20 03:19:32 +0800 CST

使用 iptables 给予 slingbox 高优先级

2

几个月来，我一直在尝试通过端口 5001 为 Slingbox 提供最高优先级，但没有任何成功。

很多人推荐使用 htb qdiscs，但问题是我不想限制任何人的带宽，我只想优先考虑它。

我正在使用带有最新内核源代码和最新 iptables 的 gentoo linux。

谢谢！

将我的 linux 配置为路由器，如何使用 nftables 启用端口转发？

尝试为任何类型警报的邮件通知配置 icinga2 目录

如何正确保护我的 ubuntu 服务器上的 postfix 免受洪水和垃圾邮件的影响

使用 icinga 远程代理运行远程检查命令

让代理节点显示在 icingaweb2 的主节点上

将具有 pglogical 复制的第 3 台服务器添加到具有流同步复制的 2 台服务器集群中，并使用赞助人进行故障保护

带有 etcd2-tls 的 kubelet 服务无法连接到 127.0.0.1:8080 - getsockopt：连接被拒绝

在 coreos 上运行 calico rkt 容器时出现“EtcdException：无法获取服务器列表”

更新

更新 2

更新 3

为 TLS 配置 etcd2 的问题

更新

更新 2

狡猾地在 ubuntu 上增加 mysql 中的 max_connections

postfix smtp远程 - 连接超时

根据日志文件中的字符串触发警报

如何禁用 mysql 服务器中的所有缓存类型以便对我的查询进行性能测试

访问日志以包含当有人远程登录我的服务器并输入垃圾时的指示

获取通过 http 传递的 https 加密数据

更新

从机器a rsync到机器c

我可以从 IP 地址找到网络托管公司吗？

apache2-worker + cgi-perl vs apache2-prefork + mod_perl - 哪个更快？什么需要更少的资源？

linux：一个apache两个php版本。可能的？

使用 iptables 给予 slingbox 高优先级

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

ufk's questions

更新

更新 2

更新 3

更新

更新 2

更新