我使用 set 创建新的 AWS 实例create_before_destroy。所以这些东西是在破坏原始资源之前创建的。但是,有时预置会失败,这会导致 AWS 上存在必须手动删除的未使用资源。
由于在替换现有基础设施之前这些资源实际上是临时资源,有没有办法自动丢弃失败的实例?
zcat在 ansible 中有比调用更好的方法shell吗?
- name: "Unpack the local config"
shell: "zcat /proc/config.gz > /usr/src/linux/.config"
args:
creates: "/usr/src/linux/.config"
我已经在 AWS 上设置了一个 Simple AD,我最终可以使用 LDAP 对其进行身份验证。我不明白为什么我无法使用dc=到处广泛建议但能够使用@domain的 .
ldap_bind($ldapconn, "cn=Administrator,dc=ldap,dc=patontheback,dc=org", "<password>");
ldap_bind($ldapconn, "[email protected]", "<password>");
这些不应该是等效的吗?@domain 将始终有效还是特定于 Simple AD?
在 AWS 创建向导中,我得到了这个:
我创建了一个 AMI 角色,它应该具有适当的角色:
但是 IAM 角色没有出现?我忽略了哪一步?
我遇到了很多失败的访问失败:
185.103.252.174 - - [28/Apr/2016:15:09:16 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
173.246.56.51 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
185.103.252.173 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
23.226.36.2 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
23.226.36.2 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
185.103.252.173 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
148.251.184.222 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
148.251.184.222 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
148.251.184.222 - - [28/Apr/2016:15:09:18 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
我的/etc/fail2ban/filter.d/wordpress-auth.conf:
[Definition]
failregex = <HOST>.*POST.*xmlrpc\.php.* 499
在我的/etc/fail2ban/jail.conf:
[wordpress]
enabled = true
port = http,https
filter = wordpress-auth
logpath = /var/log/nginx/access.log
maxretry = 3
bantime = 86400
我已经重新启动了 fail2ban,但在/var/log/fail2ban.log中没有看到任何[wordpress]。我究竟做错了什么?
我在vagrant 1.8.1上使用了一个同步的文件夹,我希望它能够 chown 文件,但它似乎没有生效。这是我同步的文件夹:
config.vm.synced_folder(
'../..',
'/home/deploy/sosd/local/',
owner: 'deploy',
group: 'deploy',
type: "rsync",
rsync__chown: true,
rsync__exclude: [
'.git',
'.idea',
'src/frontend/dist',
'src/frontend/tmp',
'src/frontend/node_modules',
'src/frontend/bower_components'
]
)
我仍然最终得到:
drwxr-xr-x 7 vagrant vagrant 4096 Apr 21 07:39 ansible
-rw-r--r-- 1 vagrant vagrant 1198 Apr 18 10:31 circle.yml
-rw-r--r-- 1 vagrant vagrant 1202 Apr 21 05:37 README.md
-rw-r--r-- 1 vagrant vagrant 146 Apr 17 10:52 requirements.txt
drwxr-xr-x 4 vagrant vagrant 4096 Apr 14 23:15 src
这是为什么?
我的供应商是这样的:
config.vm.provision :ansible_local do |ansible|
ansible.playbook = '/home/deploy/sosd/local/ansible/sosd.yml'
ansible.install = true
end
但vagrant up它似乎没有安装:
==> default: Running provisioner: ansible_local...
default: Installing Ansible...
The Ansible software could not be found! Please verify
that Ansible is correctly installed on your guest system.
If you haven't installed Ansible yet, please install Ansible
on your Vagrant basebox, or enable the automated setup with the
`install` option of this provisioner. Please check
https://docs.vagrantup.com/v2/provisioning/ansible_local.html
for more information.
我究竟做错了什么?
当我与非 sudo 用户进行身份验证时,我想覆盖 playbook sudo。
---
name: test
hosts: foo
sudo: yes
如果我做:
ansible-playbook test.yml -e "sudo=no"
它没有被正确覆盖,而是我必须sudo: yes从我的剧本中删除。不应该sudo=no工作吗?
根据manage_clients的帮助文档:
-f 从文件批量生成客户端密钥。(仅限经理)。包含 IP,NAME 格式的行。
所以我尝试了这个:
root@ossec-server:/var/ossec/etc# /var/ossec/bin/manage_agents -f /tmp/agent
Bulk load file: /tmp/agent
Opening: [/tmp/agent]
Failed.: No such file or directory
2015/05/16 15:07:34 manage_agents(1103): ERROR: Unable to open file '/tmp/agent'.
即使拥有完全访问权限:
root@ossec-server:/var/ossec/etc# ls -l /tmp/agent
-rw-r--r-- 1 777 root 16 May 16 14:57 /tmp/agent
内容看起来不错:
root@ossec-server:/var/ossec/etc# cat /tmp/agent
127.0.0.1,agent
我正在尝试应用一些 iptables 规则并且iptables -F应该删除当前规则(根据我的理解),但它似乎冻结了我的 SSH 连接并且在我切换电源之前不允许我重新建立。
我经历了这些步骤:
1.应用iptables规则:
# Delete all existing rules
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# MultiPorts (Allow incoming SSH, HTTP and phpMyAdmin)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,2222 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,2222 -m state --state ESTABLISHED -j ACCEPT
# Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# derp
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sport 80,443 -m state --state ESTABLISHED -j ACCEPT
# Outgoing Sendmail
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
# DNS server
iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT
# Allow DNS zone transfer
iptables -A INPUT -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP
2.尝试重置iptables -F
3. 被锁定
我究竟做错了什么?
我想将一个 ssh 密钥移动到 vagrant 中并将它们放入~/.ssh,最简单的方法是什么?我的 Vagrant 文件中有以下内容:
config.vm.synced_folder "conf.d", "/svr/conf.d"
config.vm.provision :shell,
:inline => "ls -l /svr/conf.d/.ssh"
总计 4 -rw-r--r-- 1 vagrant vagrant 1670 Mar 26 08:19 id_rsa.mediapop
config.vm.provision :shell,
:inline => "cp /svr/conf.d/.ssh/id_rsa.mediapop /home/ubuntu/.ssh/id_rsa"
config.vm.provision :shell,
:inline => "ls -l /home/ubuntu/.ssh"
总计 4 -rw-------- 1 ubuntu ubuntu 0 Mar 22 08:56 authorized_keys -rw-r--r-- 1 root root 1670 Mar 26 08:59 id_rsa
但是当我这样做时,vagrant ssh -c "ls -l ~/.ssh"我得到:
$ vagrant ssh -c "ls -l ~/.ssh"
total 4
-rw-r--r-- 1 vagrant vagrant 409 Mar 20 04:47 authorized_keys
所以 vagrant 正在覆盖我的.ssh目录。
在 nginx.conf 中:
http {
geoip_country /etc/nginx/GeoIP.dat;
...
}
如果我做:
server{
...
location / {
add_header X-Geo $geoip_country_code;
add_header X-Geo3 $geoip_country_code3;
add_header X-IP $remote_addr;
...
}
}
只X-IP出现在我的标题中。
$ curl -I www.example.org
HTTP/1.1 302 FOUND
Content-Type: text/html; charset=utf-8
Date: Thu, 17 Jan 2013 19:29:23 GMT
Location: http://www.example.org/login/?next=/
Server: nginx/1.2.2
Vary: Cookie
X-IP: 10.139.34.12
Connection: keep-alive
如果我将位置块更改为:
location / {
add_header X-Geo "foo";
add_header X-Geo3 "bar";
add_header X-IP $remote_addr;
...
}
标题出现了,我怎样才能得到$geoip_country_code?