Codejoy's questions

我有一个老化的邮件服务器……它只运行 courier postfix 和 smtp。它是一个 KVM VM，有两个驱动器，一个用于操作系统，一个用于数据。我有一个非常满的数据驱动器（报告 100% 已满，即使已使用和可用空间分布在 24GB 左右）。我不确定为什么或是什么占用了空间然后又释放了它。top 显示主要是 postfix 的 imapd 在执行操作。我无法在这台机器上获取 iotop。所以我想开始释放服务器上用户邮箱中的空间，我会执行 du -h -d1 来尝试找出最大的罪魁祸首是谁。好吧，这个命令运行得比以往任何时候都慢。所以由于它运行缓慢，我想我会发出一个屏幕命令：

du -h -d1 > 邮箱大小.txt

所以我可以在早上查看它并查看使用情况。它写了大约 6 个邮箱，最大的一个是 2.2GB，然后什么都没有。所以来到实际的机器上看看命令在它仍在运行时做了什么，看到了这个：

[root@xmail]# du -h -d1 > /root/mailboxsizes.txt
[14280.306953] INFO: task imapd:12559 blocked for more than 120 seconds.
[14280.307710] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[14280.309680] imapd           D ffff8800d3d9cd98     0 12559      1 0x00000080
[14280.310591]  ffff8800b17bbc20 0000000000000086 ffff880057bbce70 ffff8800b17bbfd8
[14280.310591]  ffff8800b17bbfd8 ffff8800b17bbfd8 ffff880057bbce70 ffff8800d3d9cd90
[14280.313532]  ffff8800d3d9cd94 ffff880057bbce70 00000000ffffffff ffff8800d3d9cd98
[14280.313532] Call Trace:
[14280.315669]  [<ffffffff8168d159>] schedule_preempt_disabled+0x29/0x70
[14280.316637]  [<ffffffff8168adb5>] __mutex_lock_slowpath+0xc5/0x1c0
[14280.316637]  [<ffffffff81208e17>] ? unlazy_walk+0x87/0x140
[14280.318543]  [<ffffffff8168a21f>] mutex_lock+0x1f/0x2f
[14280.319516]  [<ffffffff81683c93>] lookup_slow+0x33/0xa7
[14280.320690]  [<ffffffff8120c8f3>] path_lookupat+0x773/0x7a0
[14280.321718]  [<ffffffff81183775>] ? filemap_fault+0x215/0x410
[14280.321718]  [<ffffffff811de5e5>] ? kmem_cache_alloc+0x35/0x1e0
[14280.323363]  [<ffffffff8120f23f>] ? getname_flags+0x4f/0x1a0
[14280.324348]  [<ffffffff8120c94b>] filename_lookup+0x2b/0xc0
[14280.324348]  [<ffffffff81210367>] user_path_at_empty+0x67/0xc0
[14280.325307]  [<ffffffff811b1431>] ? handle_mm_fault+0x6b1/0xfe0
[14280.327150]  [<ffffffff812103d1>] user_path_at+0x11/0x20
[14280.327965]  [<ffffffff81203843>] vfs_fstatat+0x63/0xc0
[14280.328093]  [<ffffffff81203dae>] SYSC_newstat+0x2e/0x60
[14280.328093]  [<ffffffff81692875>] ? do_page_fault+0x35/0x90
[14280.330895]  [<ffffffff8168ea88>] ? page_fault+0x28/0x30
[14280.331790]  [<ffffffff8120408e>] SyS_newstat+0xe/0x10
[14280.331857]  [<ffffffff81697089>] system_call_fastpath+0x16/0x1b

我是系统管理新手，除了与 imapd 有关的东西之外，我对这些都一无所知。我已经多次重启这台机器，但它几乎没有释放任何硬盘空间或资源。我不明白发生了什么，为什么 du 会像上面那样失败。我在这里主要想问从哪里开始？虽然这台机器很旧，而且总是有它的问题，但它以前从来没有出现过这种情况（尽管我承认数据驱动器空间不足），但如果我清除它，就会有东西把它吃掉。

为了完整性：

df -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        2.9G     0  2.9G   0% /dev
tmpfs           2.9G     0  2.9G   0% /dev/shm
tmpfs           2.9G   41M  2.8G   2% /run
tmpfs           2.9G     0  2.9G   0% /sys/fs/cgroup
/dev/vda3        21G   18G  2.1G  90% /
/dev/vdb        459G  435G  442M 100% /mail
/dev/vda1       976M  119M  790M  14% /boot
tmpfs           581M     0  581M   0% /run/user/0
tmpfs           581M     0  581M   0% /run/user/1000


top - 06:06:53 up  6:52,  3 users,  load average: 36.42, 36.64, 31.74
Tasks: 346 total,   8 running, 338 sleeping,   0 stopped,   0 zombie
%Cpu(s):  7.4 us,  1.2 sy,  0.0 ni,  0.0 id, 89.9 wa,  0.0 hi,  0.0 si,  1.5 st
KiB Mem :  5946284 total,   130280 free,  2278016 used,  3537988 buff/cache
KiB Swap:  2516988 total,  1906332 free,   610656 used.  3362528 avail Mem 

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND     
19174 postfix   20   0   27028   5504   1488 R   8.3  0.1   0:38.53 imapd       
19586 postfix   20   0   27028   5504   1488 D   7.6  0.1   0:32.18 imapd       
19008 postfix   20   0   27028   5504   1488 R   7.0  0.1   0:48.61 imapd       
19372 postfix   20   0   27464   5872   1504 D   4.3  0.1   0:30.38 imapd       
20087 postfix   20   0   27028   5504   1488 D   4.3  0.1   0:23.27 imapd       
20188 postfix   20   0   27028   5504   1488 D   4.3  0.1   0:23.31 imapd       
20353 postfix   20   0   27028   5508   1488 D   4.3  0.1   0:23.05 imapd       
19963 postfix   20   0   27028   5508   1488 D   4.0  0.1   0:23.85 imapd       
20275 postfix   20   0   27028   5508   1488 D   4.0  0.1   0:22.56 imapd       
18460 postfix   20   0   29348   5748   1588 R   3.7  0.1   0:38.09 imapd       
20236 postfix   20   0   27028   5516   1488 D   3.7  0.1   0:22.86 imapd       
   32 root      20   0       0      0      0 S   1.7  0.0   5:57.44 kswapd0     
20079 postfix   20   0   32728   9152   1520 S   1.7  0.2   0:01.90 imapd       
19702 postfix   20   0   27028   5516   1488 D   1.3  0.1   0:27.77 imapd       
18575 postfix   20   0   30472   6848   1596 D   1.0  0.1   0:14.86 imapd       
19782 postfix   20   0   27028   5508   1488 D   1.0  0.1   0:27.02 imapd       
 1026 root      20   0 1174028  22616   8992 S   0.7  0.4   2:53.90 fail2ban-s+ 

不确定要看什么，然后尝试下一步找出我可以在哪里找到一些文件夹，并知道我们保留了谁的旧收件箱以清除它们，以便释放空间并希望使服务器性能更好。

我唯一的想法是，让 systemctl 暂时停止 postfix，看看 du 和 ls 是否工作得更好，并仔细检查 top 是否没有因此而被 ping 出去。

如果与 iostat 相关，则：

iostat
Linux 3.10.0-514.16.1.el7.x86_64 (xmail)    11/21/2024  _x86_64_    (3 CPU)

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           5.95    0.01    1.29   88.86    0.65    3.24

Device:            tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn
vda              11.92       252.15        61.60    6335865    1547820
vdb            1517.62     62131.62        78.76 1561227117    1979120

我想我可能是搬起石头砸自己的脚。很久以前，我尝试使用 mount bind 命令将旧的 Linux 机器备份到 nas：

mount --bind / /mnt/src tar -C /mnt/src -c 。> /mnt/backup_to_nas/full-backup-.tar.gz date '+%d-%B-%Y'--exclude=tmp --exclude=mnt

然后我意识到我从未卸载/mnt/src

我的问题是，这是否占用了我所拥有的 / 空间的两倍？我的空间严重不足，不确定我是否在追着尾巴试图删除文件以恢复空间。

df -h 显示：

[root@web-server mnt]# df -h
Filesystem                        Size  Used Avail Use% Mounted on
devtmpfs                          1.9G     0  1.9G   0% /dev
tmpfs                             1.9G  4.0K  1.9G   1% /dev/shm
tmpfs                             1.9G  194M  1.7G  11% /run
tmpfs                             1.9G     0  1.9G   0% /sys/fs/cgroup
/dev/vda2                         7.6G  7.6G     0 100% /
/dev/vda1                         190M  171M  5.3M  98% /boot
/dev/vdb                          230G  152G   67G  70% /usr/local
tmpfs                             379M     0  379M   0% /run/user/0
tmpfs                             379M     0  379M   0% /run/user/2527
tmpfs                             379M     0  379M   0% /run/user/2543
10.50.1.104:/data                 9.1T  8.0T  610G  94% /mnt/backup
tmpfs                             379M     0  379M   0% /run/user/2539
10.75.0.199://volume1/ICCBackups   32T  4.2T   28T  14% /mnt/backup_to_nas
tmpfs                             379M     0  379M   0% /run/user/500

lsblk 显示：

[root@web-server mnt]# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
vda    253:0    0     8G  0 disk 
├─vda1 253:1    0   200M  0 part /boot
└─vda2 253:2    0   7.8G  0 part /mnt/src
vdb    253:16   0 232.8G  0 disk /usr/local

在 root 中进行了空间检查：

杜 -xhs * | 排序-rh

134G    home
15G data
6.9G    mnt
186M    run
170M    boot
52M etc
848K    ARC-History.pdf
16K lost+found
8.0K    export
8.0K    backup
4.0K    media
4.0K    check_permissions.py
0   sys
0   proc
0   lib64
0   lib
0   dev
0   bin

我不明白为什么像 /home 这样的一些大文件夹比 df -h 报告的大，所以我做了一个 mount | grep home 并得到：

[root@web-server mnt]# mount | grep home
/dev/vdb on /home type ext4 (rw,relatime,data=ordered)
/dev/vda2 on /home/weather/public_html/weather_rrd type ext4 (rw,relatime,data=ordered)
/dev/vda2 on /usr/local/home/weather/public_html/weather_rrd type ext4 (rw,relatime,data=ordered)
/dev/vdb on /home/workers/public_html/VM-SYSTEMS type ext4 (rw,relatime,data=ordered)
/dev/vdb on /usr/local/home/workers/public_html/VM-SYSTEMS type ext4 (rw,relatime,data=ordered)

看来如果我能弄清楚这些是什么以及如何重新安置，我可能会给自己赢得一些喘息的空间：

/dev/vda2 on /home/weather/public_html/weather_rrd type ext4 (rw,relatime,data=ordered)
/dev/vda2 on /usr/local/home/weather/public_html/weather_rrd type ext4 (rw,relatime,data=ordered)

再说一遍，我的 mount --bind 命令 / 进入 /mnt/src 是否占用了双倍空间？这样做时有什么我不明白（可能）的事情吗？我做了一个 lsof /mnt/src ，似乎一切都在使用它。

但确实以此开始报告不确定是否相关：

[root@web-server mnt]# lsof /mnt/src
lsof: WARNING: can't stat() ext4 file system /var/www/html/net-status/bw-mon (deleted)
      Output information may be incomplete.
lsof: WARNING: can't stat() ext4 file system /usr/local/www/net-status/bw-mon (deleted)
      Output information may be incomplete.

所以不确定从哪里开始删除大文件，因为我在 / 中找到了它们？（即使 /home 似乎在其他地方？）。ls -lh 不将其显示为符号链接。

[root@web-server /]# ls -lh
total 1.2M
-rw-------    1 root root 847K Jul 27  2020 ARC-History.pdf
drwxr-xr-x    3 root root 4.0K Sep 13 17:21 backup
lrwxrwxrwx    1 root root    7 May 11  2018 bin -> usr/bin
dr-xr-xr-x.   5 root root 3.0K Aug 16 18:06 boot
-rw-r--r--    1 root root 3.3K May 12  2019 check_permissions.py
-rw-------    1 root root    0 Sep 13 17:33 core.20448
-rw-------    1 root root    0 Sep 13 17:46 core.28055
drwxr-xr-x    7 root root 4.0K Sep 13 17:16 data
drwxr-xr-x   18 root root 3.1K Sep 12 18:08 dev
drwxr-xr-x. 148 root root  12K Aug 31 17:26 etc
drwxr-xr-x    3 root root 4.0K Apr  2  2015 export
drwxr-xr-x   22 root root 4.0K Aug 27 18:06 home
lrwxrwxrwx    1 root root    7 May 11  2018 lib -> usr/lib
lrwxrwxrwx    1 root root    9 May 11  2018 lib64 -> usr/lib64
drwx------.   2 root root  16K Mar 31  2015 lost+found
drwxr-xr-x.   2 root root 4.0K Apr 12  2018 media
drwxr-xr-x.   6 root root 4.0K Feb  9  2023 mnt
drwxr-xr-x.   7 root root 4.0K Aug 25 15:13 opt
dr-xr-xr-x  225 root root    0 Nov  8  2021 proc
dr-xr-x---.  26 root root  12K Aug 25 15:19 root
drwxr-xr-x   48 root root 1.5K Sep 13 17:01 run
lrwxrwxrwx    1 root root    8 May 11  2018 sbin -> usr/sbin
-rw-r--r--    1 root root    0 May 15  2019 searchresults.txt
drwxr-xr-x.   2 root root 4.0K Apr 12  2018 srv
dr-xr-xr-x   13 root root    0 Nov 29  2021 sys
drwxrwxrwt.  16 root root 244K Sep 13 17:49 tmp
drwxr-xr-x.  14 root root 4.0K May 11  2018 usr
drwxr-xr-x.  25 root root 4.0K Aug  9 20:21 var
drwxr-xr-x    2 root root 4.0K Aug  9  2015 zaphod-data

编辑：查看了 fstab 文件，该文件揭示了内容的位置：

UUID=c9d6c99f-d7a5-4117-93ba-029cc34d8b61 /                       ext4    defaults        1 1
UUID=19fcad32-0fcb-423a-87e9-586d03d2e406 /boot                   ext4    defaults        1 2
#LABEL=/home    /home       ext4 defaults 1 2
#192.41.211.105:/export/images      /export/images          nfs     rsize=32768,wsize=32768,actimeo=0,bg,intr
LABEL=local-web-server  /usr/local  ext4    defaults    1 2
/usr/local/home     /home       none    bind        0 0
/usr/local/www      /var/www/html   none    bind        0 0
/usr/local/data     /data       none    bind        0 0
/tmp/rrdweather     /home/weather/public_html/weather_rrd   none    bind    0 0
/usr/local/data     /data       none    bind        0 0
/home/workers/Site/VM-SYSTEMS /home/workers/public_html/VM-SYSTEMS none bind 0 0
#/home/workers/public_html/WebCalendar-1.2.3 /home/workers/public_html/WebCalendar none bind 0 0
#/home/workers/public_html/WebCalendar-1.2.0 /home/workers/public_html/WebCalendar~ none bind 0 0
/home/workers/public_html/net-status /usr/local/www/net-status none bind 0 0
/tmp/bw-mon     /var/www/html/net-status/bw-mon     none    bind        0 0
/var/lib/smokeping/images /var/www/html/smokeping/images none   bind        0 0

#mounting for our cheezy backup of web-server
10.50.1.104:/data /mnt/backup nfs

编辑2：所以我意识到如果我在 /mnt/src 中执行排序命令我会得到更准确的信息......

[root@web-server src]# du -xhs * | sort -rh
4.8G    usr
707M    var
421M    opt
397M    backup
168M    root
150M    tmp
52M etc
848K    ARC-History.pdf
16K lost+found
12K mnt
8.0K    export
4.0K    zaphod-data
4.0K    sys
4.0K    srv
4.0K    run
4.0K    proc
4.0K    media
4.0K    home
4.0K    dev
4.0K    data
4.0K    check_permissions.py
4.0K    boot
0   searchresults.txt
0   sbin
0   lib64
0   lib
0   core.28055
0   core.20448
0   bin

向我展示了 usr 中可能需要清除的空间（不知道我不是 Linux 专家），var 有一些我能够清除的好东西（旧日志）。仍在努力，但我想我要问的关键是我真的应该卸载 /mnt/src 吗？或者让它像这样行驶可以吗，因为每次我尝试发出命令时它都会说它很忙。

我有一个 crontab：

 * * * * * /home/ipa/web/backup.sh > /dev/null 2>&1

（不，它不会每分钟都运行，只是在这里测试）

backup.sh 有这个：

#!/usr/bin/env sh



sqlite3 /home/ipa/web/ipa_django/mysite/db.sqlite3 ".backup 'backup_file.sqlite3'"
src="/home/ipa/web/backup_file.sqlite3"
let seconds=$(date +%H)*3600+$(date +%M)*60+$(date +%S)
echo $seconds
filename="db.sqlite3"
echo $filename.$seconds
dest="/home/ipa/web/db_backups/"$filename.$seconds
cp  $src $dest
cd /home/ipa/web/db_backups
tar -cvzf ipadbbackup.tar.gz $filename.$seconds
cd /home/ipa/web/
cp /home/ipa/web/db_backups/ipadbbackup.tar.gz ipadbbackup.tar.gz
rm /home/ipa/web/db_backups/$filename.$seconds
rm /home/ipa/web/db_backups/ipadbbackup.tar.gz
#rm "$srcfile"
/usr/bin/bash start-app.sh;
echo "Running email backup"
python2.7 backup_via_email.py
rm ipadbbackup.tar.gz

我的想法是我将数据库复制到暂存区域，将其压缩并复制到另一个 .py 文件可以找到它的位置，然后通过电子邮件将其作为备份发送出去。

问题是：

如果我从它所在的位置运行此脚本：/home/ipa/web/

带有 ./backup.sh

效果很好，我的电子邮件中的文件效果很好：db.sqlite3.77627

或者什么不是......问题是当它作为cron运行时文件不完整并且文件名是：

db.sqlite3.

我无法弄清楚它作为 cron 运行会导致它基本上失败吗？tar 中的文件也小了 2.1k？所以不知道发生了什么......甚至不知道在哪里看。

尝试使用本教程执行上述操作：

https://www.unixguide.net/content/openldap-allow-users-change-their-password-unix-passwd-command

所以我创建了这个 ldif：

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=ldapadm,dc=bbb,dc=local" write by * none

add: olcAccess
olcAccess: to * by self write by dn.base="cn=ldapadm,dc=bbb,dc=local" write by * read

运行 ldapmodify，现在在我运行上述修改之前，没有用户可以使用密码登录任何客户端。

现在尝试登录说输入正确密码后权限被拒绝....我打破了什么？（对openldap完全陌生）

这可能是相关的，这就是我让我的客户连接到我的 openldap 服务器的方式：

yum install -y openldap-clients nss-pam-ldapd
authconfig --enableldap --enableldapauth --ldapserver=192.168.1.10 --ldapbasedn="dc=bbb,dc=local" --enablemkhomedir --update

开箱即用，如果我在 ldap 用户上键入 passwd ......结果会发生：

[ldapuser@sdss5-db ~]$ passwd
Changing password for user ldapuser.
(current) LDAP Password: 
New password: 
Retype new password: 
password change failed: Insufficient access
passwd: Authentication token manipulation error

虽然上面带有 olcAccess 的 ldif 文件再次破坏了我的 ldap 并没有使任何工作（在我运行该命令之前必须将 VM 恢复到 ..主要是因为我是 ldap 的新手并且不知道如何删除项目等)

这是我所有的 cn=config 文件：

olcDatabase={-1}frontend.ldif


# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 daf543d1
dn: olcDatabase={-1}frontend
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
structuralObjectClass: olcDatabaseConfig
entryUUID: 1244881e-5cf7-103b-94a5-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
entryCSN: 20210608224613.408737Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210608224613Z


olcDatabase={0}config.ldif

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 54d58ed2
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 12448a9e-5cf7-103b-94a6-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
entryCSN: 20210608224613.408801Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210608224613Z



olcDatabase={1}monitor.ldif

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3165478b
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
structuralObjectClass: olcDatabaseConfig
entryUUID: 12448d32-5cf7-103b-94a7-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al, cn=auth" read by dn.base="cn=ldapadm,dc=bbb,dc=local" read by * none
entryCSN: 20210608225001.645649Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210608225001Z




olcDatabase={2}hdb.ldif


# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 89413e34
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 1244907a-5cf7-103b-94a8-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
olcSuffix: dc=bbb,dc=local
olcRootDN: cn=ldapadm,dc=bbb,dc=local
olcRootPW:: e1NTSEF9QTB0dS94UjR6cy83ZEMvQUxPL21uS2RLaXZUeFNXVEg=
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.ba
 se="cn=ldapadm,dc=bbb,dc=local" write by * none
entryCSN: 20210702202550.687485Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210702202550Z

似乎它没有写第二部分：

add: olcAccess
olcAccess: to * by self write by dn.base="cn=ldapadm,dc=unixguide,dc=net" write by * read

到 olcDatabase={2}hdb.ldif ，按照它的例子olcAccess: {1}to * by self write by dn.base="cn=ldapadm,dc=unixguide,dc=net" write by * read

我猜这是在我运行命令后无法正常登录的原因。我不确定为什么它没有显示出来，因为当我使用上面发布的 ldif 运行修改命令时没有出现错误...

ldap 修改的结果是这样的：

[root@openldapserver ~]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f passwordaccess.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

我在这里关注本教程：

https://kifarunix.com/how-to-configure-sudo-via-openldap-server/

很多都是有道理的，但对于 openldap 来说仍然是新的，所以其中一些也很神秘。我让 openldap 运行，用户在其他机器上进行身份验证，甚至使用 phpldapadmin。所以是时候让 sudoers 为一些用户工作了。我运行了sudoers2ldif命令，得到了一个类似于教程中显示的文件，并进行了相应的编辑。当它运行ldapadd -Y EXTERNAL -H ldapi:/// -f sudoers_modified.ldif时失败并出现错误：

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=defaults,ou=SUDOers,dc=apo,dc=local"
ldap_add: Invalid syntax (21)
    additional info: objectClass: value #1 invalid per syntax

21 是 .ldif 文件的行号吗？或其他一些错误代码...也不知道 objectClass 命令上的无效内容...发布的是下面的 ldif 文件。

dn: cn=defaults,ou=SUDOers,dc=bbb,dc=local
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin

dn: cn=sudo,OU=SUDOers,dc=bbb,dc=local
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: bobby
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

也许 sudoRole 需要以某种方式添加？我为此成功添加的另一个 ldif 是：

dn: ou=SUDOers,dc=bbb,dc=local
objectCLass: top
objectClass: organizationalUnit
ou: SUDOers
description: BBB SUDOers container

我在这里找到了另一个教程：

https://forums.centos.org/viewtopic.php?t=73807

由于类似的信息略有不同，我没有使用这个，因为发布的一个 ldif 文件有很多东西说它是“自动生成的”，我不知道它是如何或从哪里来的。

在一个答案之后，我相信上面链接中显示的文件包含数据：

vi /testfolder/sudoers.ldif
#------------------------
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 b181185c
dn: cn=sudoers,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudoers
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s
) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substrin
gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s
) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring
sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Com
mand(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
.1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(
s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3
.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Opti
ons(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466
.115.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'U
ser(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.
1466.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC '
Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'S
tart of time interval for which the entry is valid' EQUALITY generalizedTim
eMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.24 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'En
d of time interval for which the entry is valid' EQUALITY generalizedTimeMa
tch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.24 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an i
nteger to order the sudoRole entries' EQUALITY integerMatch ORDERING intege
rOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer
Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand
$ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ su
doNotBefore $ sudoNotAfter $ description ) )

一旦我意识到该文件是我添加它的架构并最终使这一切正常工作，因此我接受了答案，即使我不得不深入研究我正在做的事情。顺便说一句，我的 ldap 中没有使用架构文件，我必须通过 ldapadd 添加它

我有一个我在cent os 7 上设置的openldap 服务器。我将它混合以与我的所有其他VM 一起工作，这些VM 从nfs 服务器为他们的/home 安装nfs 安装。

我刚刚发现，如果我创建一个新的 ldap 用户并尝试登录某个 VM，它可以让我登录，但说明它无法创建 /home/user 并且无法对其进行 chngdir。

但我也了解到，如果我首先 ssh user@mynfsserver 它登录，创建适当的 /home/user 然后我可以使用我的 ldapuser ssh 到任何其他 VM，它工作得很好，不再抱怨无法创建该用户在家中的文件夹。

我在每个带有 home.map 文件的 VM 上使用 autofs，它看起来具有正确的权限：

* -fstype=nfs,rw,nosuid,soft 10.10.1.139:/home/&

所以这感觉像是某种权限问题，用户在使用新创建的 ldap 凭据登录 VM 时出错。但是，如果同一用户登录到 10.10.1.139（从其中映射 home 的 nfs 服务器），那么似乎让他们登录到虚拟机而不再出现无法创建 /home/user 错误。

我的 openldap 服务器是否必须以某种方式了解 nfs 服务器？

除了必须先登录到 nfs 服务器的麻烦之外，我可以转到另一个虚拟机，触摸该主文件夹中的文件，然后宾果游戏就在我登录的任何其他虚拟机上。所以它就像 95% 的工作，只是烦人必须首先使用 ldap 用户登录到 nfserver 以使 /home/user 的创建首先在其他 VM 上工作。

我以为我已经通过 nfs 从我的服务器正确地安装了 /home 到客户端。我不认为我这样做。如果您在服务器上并创建了一个用户，那么您将无法转到客户端并以所述用户身份登录。还有其他方法可以做到这一点吗？还是在openldap等的世界里？

我有一个服务，我试图以这种方式运行，但它是一个稍微大一点的 python 程序。我退后一步，构建了一个简单的 Python 程序，看看我是否可以让它运行。当我尝试通过 telnet 连接到正在运行的此套接字时，它失败了。下面是 .socket、.service 和 .py 文件....

testPy.socket

[Unit]
Description=Socket to TESTPY for connection
PartOf=testPy.service

[Socket]
ListenStream=30001

[Install]
WantedBy=sockets.target

testPy.service

[Unit]
Description=TEST PY
After=network.target testPy.socket
Requires=testPy.socket
[Service]
ExecStart=/home/workers/miniconda2/bin/python /home/workers/testPy.py
StandardInput=socket
[Install]
WantedBy=default.target

testPy.py

import sys

END_OF_LINE = '\r\n'
while(1):
        input = sys.stdin.readline()
        buffer = input.strip()
        if not buffer:
                sys.stdout.write("OKAY DUDE")
                sys.stdout.flush()
                continue
        if buffer in ['quit', 'QUIT']:
                break
        sys.stdout.write('\n' + buffer + END_OF_LINE)
        sys.stdout.flush()

现在，如果我在命令行中运行它，它运行良好。我可以输入退出，它退出循环，回声任何东西..

如果我说：

systemctl start testPy.socket

然后输入：

远程登录本地主机 30001

它连接一点然后放下它。然后各种状态（对我来说）是非描述性的：

systemctl status testPy.socket

● testPy.socket - Socket to TESTPY for connection
   Loaded: loaded (/etc/systemd/system/testPy.socket; disabled; vendor preset: disabled)
   Active: failed (Result: service-failed-permanent) since Thu 2021-03-11 13:59:54 EST; 11min ago
   Listen: [::]:30001 (Stream)

Mar 11 13:59:42 dhcp-093.apo.nmsu.edu systemd[1]: Listening on Socket to TESTPY for connection.
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: Unit testPy.socket entered failed state.

systemctl status testPy.service

● testPy.service - TEST PY
   Loaded: loaded (/etc/systemd/system/testPy.service; disabled; vendor preset: disabled)
   Active: failed (Result: start-limit) since Thu 2021-03-11 13:59:54 EST; 12min ago
  Process: 2087 ExecStart=/home/workers/miniconda2/bin/python /home/workers/testPy.py (code=exited, status=1/FAILURE)
 Main PID: 2087 (code=exited, status=1/FAILURE)

Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: Started TEST PY.
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: testPy.service: main process exited, code=exited, status=1/FAILURE
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: Unit testPy.service entered failed state.
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: testPy.service failed.
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: start request repeated too quickly for testPy.service
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: Failed to start TEST PY.
Mar 11 13:59:54 dhcp-093.apo.nmsu.edu systemd[1]: testPy.service failed.

我相信如果我可以让这个简单的测试工作，我可以获得我需要运行的更大的 .py 文件，因为它的工作原理基本相同。我为此构建了一个服务和套接字，通常有相同的错误。虽然systemctl status kosmos.service给出了一个失败的仍然但是说主PID状态= 0/成功所以这很奇怪。

它说启动限制是失败的，但是如果像这里这样简单的服务必须启动并启动并启动这意味着其他错误，猜测我的套接字或服务文件中的配置但不确定是什么。我希望我的 python 不会因监听 sys.stdin.readline 等而改变，而它读取的行只是来自另一台机器在该端口（30001）上建立的连接。我认为这就是所有这些套接字的作用（所有这些都是因为它曾经在带有 xinetd 的旧机器上运行）

我有一个在 kvm 下运行的虚拟机（它是一个 .img 文件），它运行的服务器严重崩溃并重新启动，最后终于搞定了……我想我跑了

yum install -y qemu-kvm

我确信在一个非常古老的未更新操作系统上更新了很多东西。这台机器死后我遇到了问题，因为它看到 vm 像 KVM 本身一样在那里（图像文件在那里，但它们没有在任何地方“注册”）。不知道我是怎么把它找回来的，但是所有的 VMS 都启动了 virsh 但是一个......它给出了一个错误：

[root@sdss4-server1 ~]# virsh start sdss-host2
setlocale: No such file or directory
error: Failed to start domain sdss-host2
error: unsupported configuration: Only a single IDE controller is supported for this machine type

我的文件损坏了吗？我可以修理它吗？我很乐意让这个虚拟机再次运行，因为没有备份，并且一些数据需要从它中取出。（我以为我可以以某种方式在 linux 中挂载 .img 文件？但我尝试了以下方法）

kpartx -av sdsshost2.img
add map loop0p1 (253:2): 0 208782 linear /dev/loop0 63
add map loop0p2 (253:3): 0 10490445 linear /dev/loop0 208845
device-mapper: resume ioctl on loop0p3  failed: Invalid argument
create/reload failed on loop0p3
add map loop0p3 (0:0): 0 62916711 linear /dev/loop0 10699290


[root@sdss4-server1 vm-cache]# sudo mount /dev/mapper/loop0p2 /mnt/host2
mount: unknown filesystem type 'swap'

[root@sdss4-server1 vm-cache]# sudo mount /dev/mapper/loop0p1 /mnt/host2

(I think this is a boot and the files in it are:)


System.map                      initrd-2.4.21-27.0.2.EL.img             vmlinux-2.4.21-27.0.2.ELsmp
System.map-2.4.21-27.0.2.EL     initrd-2.4.21-27.0.2.ELsmp.img          vmlinux-2.4.21-32.0.1.EL
System.map-2.4.21-27.0.2.ELsmp  initrd-2.4.21-32.0.1.EL.img             vmlinux-2.4.21-32.0.1.ELsmp
System.map-2.4.21-32.0.1.EL     initrd-2.4.21-32.0.1.ELsmp.3w-9xxx.img  vmlinuz-2.4.21-27.0.2.EL
System.map-2.4.21-32.0.1.ELsmp  initrd-2.4.21-32.0.1.ELsmp.img          vmlinuz-2.4.21-27.0.2.ELsmp
config-2.4.21-27.0.2.EL         initrd-2.4.21-52.ELBOOT.img             vmlinuz-2.4.21-32.0.1.EL
config-2.4.21-27.0.2.ELsmp      kernel.h                                vmlinuz-2.4.21-32.0.1.ELsmp
config-2.4.21-32.0.1.EL         message                                 vmlinuz-2.4.21-52.ELBOOT
config-2.4.21-32.0.1.ELsmp      message.ja
grub                            vmlinux-2.4.21-27.0.2.EL

当然不是我想要的，看起来 loop0p3 是我想要安装的，但是 kpartx 给出了一个我不完全理解的错误。

那么我的虚拟驱动器/磁盘坏了吗？我能做些什么来恢复这个如何？

主机定义文件：

<domain type='kvm'>
  <name>sdss-host2</name>
  <uuid>36637cc5-63a1-4485-9a41-31afafb352dd</uuid>
  <memory unit='KiB'>4194304</memory>
  <currentMemory unit='KiB'>4194304</currentMemory>
  <memoryBacking>
    <hugepages/>
  </memoryBacking>
  <vcpu placement='static' cpuset='21'>1</vcpu>
  <cputune>
    <emulatorpin cpuset='21'/>
  </cputune>
  <os>
    <type arch='x86_64' machine='pc-i440fx-rhel7.0.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <cpu mode='custom' match='exact' check='partial'>
    <model fallback='allow'>coreduo</model>
    <vendor>Intel</vendor>
  </cpu>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/vm-cache/sdsshost2.img'/>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <disk type='block' device='disk'>
      <driver name='qemu' type='raw' cache='none' io='native'/>
      <source dev='/dev/sdi'/>
      <target dev='hdb' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <controller type='usb' index='0' model='piix3-uhci'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='ide' index='1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </controller>
    <interface type='direct'>
      <mac address='52:54:00:2d:d1:ee'/>
      <source dev='enp4s0f0' mode='vepa'/>
      <model type='rtl8139'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1' keymap='en-us'>
      <listen type='address' address='127.0.0.1'/>
    </graphics>
    <video>
      <model type='vga' vram='16384' heads='1' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </memballoon>
  </devices>
</domain>

所以我想在这里遵循这个：

https://www.digitalocean.com/community/tutorials/how-to-set-up-django-with-postgres-nginx-and-gunicorn-on-ubuntu-16-04

除了最新的树莓派。我认为或认为我已经正确配置了所有内容......

在上面的那个教程中，它让你从创建一个 django 项目到让它在 gunicorn 下运行，甚至测试它：

激活虚拟环境，然后

cd ~/myproject
gunicorn --bind 0.0.0.0:8000 myproject.wsgi

这部分有效，一旦出现，就像我做了一个 python3 manage.py runserver 0.0.0.0:8000

我可以然后转到我的浏览器并输入主机名：

webserver2.abc.com:8000

并且所有作品的应用程序都出现了。

如果我停止 gunicorn 命令并键入 deactivate，然后我尝试使用我在 /etc/systemd/system 中添加的 .service 运行它。它似乎在运行并且

 sudo systemctl status gunicorn


● gunicorn.service - gunicorn daemon
   Loaded: loaded (/etc/systemd/system/gunicorn.service; disabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-10-21 13:24:51 MDT; 50s ago
 Main PID: 7645 (gunicorn)
    Tasks: 4 (limit: 4915)
   Memory: 55.0M
   CGroup: /system.slice/gunicorn.service
           ├─7645 /home/pi/myvirtualenv_covid19/covid19env/bin/python /home/pi/myvirtualenv_covid19/covid19env/bin/gunicorn --workers 3 --bind unix:/tmp/covid19.sock covid19.wsgi:application
           ├─7651 /home/pi/myvirtualenv_covid19/covid19env/bin/python /home/pi/myvirtualenv_covid19/covid19env/bin/gunicorn --workers 3 --bind unix:/tmp/covid19.sock covid19.wsgi:application
           ├─7652 /home/pi/myvirtualenv_covid19/covid19env/bin/python /home/pi/myvirtualenv_covid19/covid19env/bin/gunicorn --workers 3 --bind unix:/tmp/covid19.sock covid19.wsgi:application
           └─7653 /home/pi/myvirtualenv_covid19/covid19env/bin/python /home/pi/myvirtualenv_covid19/covid19env/bin/gunicorn --workers 3 --bind unix:/tmp/covid19.sock covid19.wsgi:application

Oct 21 13:24:51 webserver2 systemd[1]: Started gunicorn daemon.
Oct 21 13:24:51 webserver2 gunicorn[7645]: [2020-10-21 13:24:51 -0600] [7645] [INFO] Starting gunicorn 20.0.4
Oct 21 13:24:51 webserver2 gunicorn[7645]: [2020-10-21 13:24:51 -0600] [7645] [INFO] Listening at: unix:/run/gunicorn.sock (7645)
Oct 21 13:24:51 webserver2 gunicorn[7645]: [2020-10-21 13:24:51 -0600] [7645] [INFO] Using worker: sync
Oct 21 13:24:51 webserver2 gunicorn[7645]: [2020-10-21 13:24:51 -0600] [7651] [INFO] Booting worker with pid: 7651
Oct 21 13:24:51 webserver2 gunicorn[7645]: [2020-10-21 13:24:51 -0600] [7652] [INFO] Booting worker with pid: 7652
Oct 21 13:24:51 webserver2 gunicorn[7645]: [2020-10-21 13:24:51 -0600] [7653] [INFO] Booting worker with pid: 7653

确认。

所以它似乎正在运行，虽然这次再次访问 webserver2.abc.com:8000 不起作用，这是 /etc/systemd/system 中的 gunicorn.service

[Unit]
Description = gunicorn daemon
Requires=gunicorn.socket
After=network.target

[Service]
User=pi
WorkingDirectory=/home/pi/myvirtualenv_covid19/covid19
ExecStart=/home/pi/myvirtualenv_covid19/covid19env/bin/gunicorn --workers 3 --bind unix:/tmp/covid19.sock covid19.wsgi:application
Restart=always

[Install]
WantedBy=multi-user.target

好奇没有要绑定的端口吗？也许我在我的 django 项目中缺少一个额外的配置？？？

所以其次让 nginx 看到这些似乎是一个问题，因为如果我转到

http://webserver2.abc.com:8080/

给我一个 502 坏网关。通常会告诉我 /var/log/nginx 中的错误：

2020/10/21 13:33:11 [crit] 1836#1836: *65 connect() to unix:/tmp/covid19.sock failed (2: No such file or directory) while connecting to upstream, client: 10.75.1.245, server: , request: "GET / HTTP/1.1", upstream: "http://unix:/tmp/covid19.sock:/", host: "webserver2.abc.com:8080"

它似乎正在运行，但 /tmp 中没有 sock 文件让我相信 gunicorn 没有从 systemd/system .service 文件运行

所以看起来袜子并没有被创建，尽管 gunicorn.socket 文件确实设置了一个 /run/gunicorn.sock 文件。只是 /tmp/covid19.sock 文件不是。

我觉得我很亲密，只需要一点帮助来连接点。

（我的 nginx 也设置为侦听端口 8080，但我没有看到我在 gunicorn.service 文件中告诉它在 8080 上运行的位置？）

为了完整起见，我的 covid19.conf 文件来自 /etc/nginx/ 中可用的站点

server {
    listen 8080;

    location = /favicon.ico { access_log off; log_not_found off; }

    location /static/ {
        root /home/pi/myvirtualenv_covid19/covid19;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/tmp/covid19.sock;
    }
}

在输入这个问题时，我发现了这个：

即使安装了新证书，Apache 似乎仍在使用旧的过期证书

他的问题是我的问题，他尝试的所有事情或多或少我也做过。不同之处在于他的解决了，因为他运行了 nginx。就我而言，我没有这样的反向代理服务器。所以我只是无法让 Apache 看到我使用 certbot 获得的新证书（这是另一个问题，certbot auto renew 不起作用给出了错误，所以我做了一个 certbot cert only apache 和 point appach ssl-certs in etc/ httpd/extra 到那里。

像他一样尝试了其他一切。将 /etc/httpd/extra/ssl-certs 和 ssl-certs-proxy 指向的文件夹移动到 /tmp，并让这些文件指向新的 .pem 位置：

SSLCertificateFile /etc/letsencrypt/live/www.apo.nmsu.edu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.apo.nmsu.edu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.apo.nmsu.edu/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf

cert.pem -> ../../archive/www.apo.nmsu.edu/cert2.pem
chain.pem -> ../../archive/www.apo.nmsu.edu/chain2.pem
fullchain.pem -> ../../archive/www.apo.nmsu.edu/fullchain2.pem
privkey.pem -> ../../archive/www.apo.nmsu.edu/privkey2.pem

唉，没什么，没有变化，网站仍然报告过期的票。在另一个文件夹 /live/apo.nmsu.edu-0004 中，我移到了 tmp。所以不确定 apache 是如何处理所有这些的。

apachectl 是否停止了 apachectl start 甚至重新启动并重置了这一切都在运行的 vm。

同样的问题。完全没有想法，甚至使用 openssl 检查新的 .pem 文件，它们确实会在 90 天内正确过期（它们来自letsencrypt）。

还：

[root@web-server extra]# apachectl -v
Server version: Apache/2.4.6 (Scientific Linux)
Server built:   Jul 29 2019 10:53:12

陷入了管理我之前的人使用 virt 的盒子的情况，因此试图加快速度。作为对此进行 virt-install 的测试：

virt-install --virt-type=kvm --name kosmos-icc --ram 1000 --os-variant=centos7.0 --cdrom=/var/lib/libvirt/boot/CentOS-7-x86_64-Minimal-1810.iso --network=bridge=virbr0,model=virtio --graphics vnc --disk path=/var/lib/libvirt/images/centos7.qcow2,size=8,bus=virtio,format=qcow2 --boot userserial=on

它运行如下：

WARNING  Graphics requested but DISPLAY is not set. Not running virt-viewer.
WARNING  No console to launch for the guest, defaulting to --wait -1

Starting install...
Allocating 'centos7.qcow2'                                                                                                                                                | 8.0 GB  00:00:00     
Domain installation still in progress. Waiting for installation to complete.

然后挂起，我可以按 ctrl-c 并返回提示符，执行 virsh list 显示它正在运行，但执行 virsh domifaddr kosmos-icc 没有显示任何内容（另一个是通用的并且使用 gui 安装）显示来自机器的 IP 地址（我可以通过 ssh 进入）。

所以不知道为什么它没有完成，或者它是否完成并且对此保持沉默，或者我是否错过了一个开关。我假设 virbr0 是使用网络的方式。所以仍然学习 virsh/virt 并查看我是否可以通过命令行安装 VM，然后在非测试机器上复制该过程。

/root/.cache/virt-manager 中的安装日志没有显示真正的错误......实际上显示：

[Wed, 19 Jun 2019 11:28:38 virt-install 351] DEBUG (guest:441) XML fetched from libvirt object:

... the xml ...


[Wed, 19 Jun 2019 11:28:38 virt-install 351] DEBUG (virt-install:744) Domain state after install: 1

安装后的状态是日志看到我的 ctrl-c 键盘中断之前的最后一行。

编辑2：我大部分时间都在运行！这确实是一个 SELinux 问题。所以大多数事情都有效，我得到一个无法写入只读数据库的错误。而且我的一些看起来像静态的东西没有找到，主要是 /admin 在任何东西上都看不到。我不确定是 mysite.settings 问题还是什么。

编辑：感谢下面的评论者，我仔细检查了所有内容并得到了一个新错误。这也许是一个进步，但看起来我确实启用了一些 SELinux 策略，并且不是一个系统管理员，我不确定从哪里开始寻找这告诉我什么。这是 apache error_log

[Wed May 25 10:08:16.399785 2016] [core:notice] [pid 14935] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed May 25 10:08:16.401177 2016] [suexec:notice] [pid 14935] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed May 25 10:08:16.432549 2016] [so:warn] [pid 14935] AH01574: module wsgi_module is already loaded, skipping
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.20.0.33. Set the 'ServerName' directive globally to suppress this message
[Wed May 25 10:08:16.438588 2016] [auth_digest:notice] [pid 14935] AH01757: generating secret for digest authentication ...
[Wed May 25 10:08:16.439945 2016] [lbmethod_heartbeat:notice] [pid 14935] AH02282: No slotmem from mod_heartmonitor
[Wed May 25 10:08:16.448393 2016] [mpm_prefork:notice] [pid 14935] AH00163: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5 OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 configured -- resuming normal operations
[Wed May 25 10:08:16.448434 2016] [core:notice] [pid 14935] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed May 25 10:08:20.102783 2016] [mime_magic:error] [pid 14937] [client 172.20.0.33:59454] AH01512: mod_mime_magic: can't read `/home/sthomas/django_nga_site/mysite/wsgi.py'
[Wed May 25 10:08:20.117380 2016] [:error] [pid 14937] (13)Permission denied: [client 172.20.0.33:59454] mod_wsgi (pid=14937, process='', application='172.20.0.33|/nga_sw'): Call to fopen() failed for '/home/sthomas/django_nga_site/mysite/wsgi.py'.

如果我尝试点击 url，它会给我一个 500 错误。

我应该在 wsgi.py 文件上添加权限是：

-rw-r--r-x 并且对 wsgi.py 文件所在的 home 文件夹的权限是：

drwxr-xr-x

阅读可能已经有我答案的问题，看起来不像是那些问题，所以我在这里发布希望得到引导。

我试图使用这个网址：

https://docs.djangoproject.com/en/1.9/howto/deployment/wsgi/modwsgi/

我的版本：

服务器版本：Apache/2.4.6 (CentOS) 服务器搭建时间：2015 年 11 月 19 日 21:43:13

CentOs 版本：CentOS Linux release 7.2.1511 (Core)

Python 版本：Python 2.7.5

Django 版本：(1, 9, 6, 'final', 0)

在我不管理的 centos 盒子上，但我有 sudo 访问权限，所以我能够安装让我的 django 应用程序运行所需的一切python manage.py runserver。看起来不错，所以我想解决下一个让它在 apache 下运行的问题。

Apache 已经在 /var/www/html 下提供了我网站的静态版本并且它运行良好，尽管我将我自己的 WSGI 东西添加到 httpd.conf 文件并加载了我认为的 mod_wsgi。虽然我现在在点击 url 的 ip 地址时得到的只是：

You don't have permission to access / on this server.

所以我回顾了 httpd.conf 并没有尝试设置（别名？）任何东西只是 / 所以我不确定它在做什么。

我的应用程序位于文件夹 /home/sthomas 的值下，我认为我设置了正确的 chwon 和 chmod。

为了做到这一点，我花了一段时间才意识到我必须移动/删除/重命名 apache 设置的welcome.conf 文件，以便每次点击我的 URL 时都看不到默认的欢迎屏幕（我的 linux kung-fu 是基本的）

#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see 
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
# with ServerRoot set to '/www' will be interpreted by the
# server as '/www/log/access_log', where as '/log/access_log' will be
# interpreted as '/log/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
LoadModule wsgi_module modules/mod_wsgi.so
#
Include conf.modules.d/*.conf

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. [email protected]
#
ServerAdmin root@localhost

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other 
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
#DocumentRoot "/var/www/html"
DocumentRoot "/var/www"

#
# Relax access to content within /var/www.
#
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/html">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ".ht*">
    Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    #CustomLog "logs/access_log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to 
    # exist in your server's namespace, but do not anymore. The client 
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts. 
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig /etc/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default.  To use the 
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    #
    # The mod_mime_magic module allows the server to use various hints from the
    # contents of the file itself to determine its type.  The MIMEMagicFile
    # directive tells the module where the hint definitions are located.
    #
    MIMEMagicFile conf/magic
</IfModule>

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# EnableMMAP and EnableSendfile: On systems that support it, 
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted 
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on

# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

WSGIScriptAlias /nga_sw /home/sthomas/django_nga_site/mysite/wsgi.py
WSGIPythonPath /home/sthomas/django_nga_site

<Directory /home/sthomas/django_nga_site/mysite>
<Files wsgi.py>
Require all granted
</Files>
</Directory>