Tsunani's questions

祝大家美好的一天。发出命令： nslookup kafka.zxc.stage @dns1.prod 有时我会得到答案 - ;; 连接超时; 无法访问服务器

例如，当我每秒运行一个命令时，6 秒内有 6 个请求。部分答案“无法访问服务器”。

我觉得这很奇怪。我决定使用 tcpdump 实用程序进行查看。我举两个例子。当 nslookup 返回 A 记录并且“无法访问任何服务器”时。

一切安好。响应返回到控制台 -

3926 IP (tos 0x0, ttl 64, id 40303, offset 0, flags [none], proto UDP (17), length 202) 
dns-int.prod > kafka.zxc.stage.33173: [bad udp cksum 0x4e30 -> 0x6909!] 14677* q: A? kafka.stage. 2/2/2 kafka.stage. [10m] CNAME kafka.zxc.stage., kafka.zxc.stage. [10m] A 100.200.40.22 ns: stage.zone. [30m] NS dns2-int.prod., stage.zone. [30m] NS dns-int.prod . ar: dns-int.prod . [1h] A 100.100.100.200, dns2-int.prod. [30m] A 100.100.100.100 (174)

发送下一个请求，大约等待2-3秒，控制台返回“;;连接超时；无法到达服务器”-

4662 IP (tos 0x0, ttl 64, id 40543, offset 0, flags [none], proto UDP (17), length 129) 
dns-int.prod > kafka.zxc.stage.52157: [bad udp cksum 0x4de7 -> 0x6fe7!] 53* q: AAAA? kafka.zxc.stage. 0/1/0 ns: stage.zone. [4d] SOA dns1.prod. admindn.mail.(101)

据我了解，A记录适用于IPv4，而AAAA记录适用于IPv6。

我仍然不明白他为什么要尝试以这种方式发送请求。如果有人能指出我寻找解决方案的方向，我将非常高兴。我也会寻找解决方案。谢谢。

所有这一切，如果我向 dns1 发送 nslookup 不间断请求，dns2（从属）不会有错误。

nslookup 到 dns1 的示例 -

 # nslookup kafka.zxc.stage 100.100.100.100
Server:     100.100.100.100
Address:    100.100.100.100#53

kafka.zxc.stage canonical name = kafka.stage.
Name:   kafka.zxc.stage
Address: 100.200.40.22
;; connection timed out; no servers could be reached

发送答案，但连接超时？或者

# nslookup kafka.zxc.stage 100.100.100.100
;; connection timed out; no servers could be reached

这就是浮动问题。

时间太长了，我正在检查它

for i in {0..5}; do time dig @100.100.100.100 +short kafka.zxc.stage ; done 2>&1 | grep real
real    0m5.018s
real    0m5.012s
real    0m0.016s
real    0m0.013s
real    0m5.015s
real    0m10.021s

指定的配置未更改。但操作系统配置发生了变化。我正在进一步检查

谁能解释一下，redis有什么问题？）

# systemctl status m1-redis
● m1-redis-server.service - Advanced key-value store
     Loaded: loaded (/lib/systemd/system/m1-redis-server.service; enabled; vendor preset: enabled)
     Active: activating (start) since Fri 2022-02-25 12:07:04 UTC; 2h 52min left
       Docs: http://redis.io/documentation,
             man:redis-server(1)
    Process: 765 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=0/SUCCESS)
      Tasks: 0 (limit: 2274)
     Memory: 344.0K
     CGroup: /system.slice/m1-redis-server.service

Feb 25 12:07:04 rrm-ubuntu1 systemd[1]: Starting Advanced key-value store...
Feb 25 12:07:04 rrm-ubuntu1 systemd[1]: m1-redis-server.service: Can't open PID file /run/redis/redis-server-6381.pid (yet?) after start: Operation not permitted
Feb 25 12:07:04 rrm-ubuntu1 systemd[1]: m1-redis-server.service: New main PID 831 does not belong to service, and PID file is not owned by root. Refusing.
Feb 25 12:07:04 rrm-ubuntu1 systemd[1]: m1-redis-server.service: New main PID 831 does not belong to service, and PID file is not owned by root. Refusing.

# systemctl status s2-redis
● s2-redis-server.service - Advanced key-value store
     Loaded: loaded (/lib/systemd/system/s2-redis-server.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-02-25 12:07:04 UTC; 2h 52min left
       Docs: http://redis.io/documentation,
             man:redis-server(1)
    Process: 771 ExecStart=/usr/bin/redis-server /etc/redis/redis2.conf (code=exited, status=0/SUCCESS)
   Main PID: 837 (redis-server)
      Tasks: 4 (limit: 2274)
     Memory: 2.6M
     CGroup: /system.slice/s2-redis-server.service
             └─837 /usr/bin/redis-server *:6382 [cluster]

Feb 25 12:07:04 rrm-ubuntu1 systemd[1]: Starting Advanced key-value store...
Feb 25 12:07:04 rrm-ubuntu1 systemd[1]: s2-redis-server.service: Can't open PID file /run/redis/redis-server-6382.pid (yet?) after start: Operation not permitted
Feb 25 12:07:04 rrm-ubuntu1 systemd[1]: Started Advanced key-value store.

# redis-cli -c -h 10.61.10.125 -p 6382
10.61.10.125:6382> ping
PONG
10.61.10.125:6382>
# redis-cli -c -h 10.61.10.125 -p 6381
10.61.10.125:6381> ping
PONG

# ps -aux | grep redis
redis        831  0.1  0.3  63504  7032 ?        Ssl  09:13   0:00 /usr/bin/redis-server *:6381 [cluster]
redis        837  0.2  0.3  55824  6368 ?        Ssl  09:13   0:00 /usr/bin/redis-server *:6382 [cluster]
root        1237  0.0  0.0   6432   736 pts/0    S+   09:15   0:00 grep --color=auto redis

猫单位。

# cat /lib/systemd/system/m1-redis-server.service
[Unit]
Description=Advanced key-value store
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)

[Service]
Type=forking
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
PIDFile=/var/run/redis/redis-server-6381.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755

UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWritePaths=-/var/lib/redis
ReadWritePaths=-/var/log/redis
ReadWritePaths=-/var/run/redis

NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/redis

[Install]
WantedBy=multi-user.target
Alias=m1-redis.service


# cat /lib/systemd/system/s2-redis-server.service
[Unit]
Description=Advanced key-value store
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)

[Service]
Type=forking
ExecStart=/usr/bin/redis-server /etc/redis/redis2.conf
PIDFile=/var/run/redis/redis-server-6382.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755

UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWritePaths=-/var/lib/redis
ReadWritePaths=-/var/log/redis
ReadWritePaths=-/var/run/redis

NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/redis

[Install]
WantedBy=multi-user.target
Alias=s2-redis.service

祝大家有美好的一天。升起 Ubuntu 20.04，进入域。然而，事实证明，用户在重新启动后，无法在域帐户下登录系统。但是，如果你切断了网络，那么他可以进入系统。

并且 ssh 身份验证也不起作用。在日志中 -xe

ноя 02 14:13:22 dev-n-03 sshd[129588]: pam_sss(sshd:account): Access denied for user [email protected]: 4 (System error)
ноя 02 14:13:22 dev-n-03 sshd[129588]: Failed password for [email protected] from 192.168.53.11 port 50680 ssh2
ноя 02 14:13:22 dev-n-03 sshd[129588]: fatal: Access denied for user [email protected] by PAM account configuration [preauth]

dm-crypt 目前有两个可用的前端：cryptsetup 和 cryptmount。谁知道cryptmount和cryptsetup的区别？