我在云服务器上全新安装了 Ubuntu 24.04 来运行 iRedMail 1.7.1。
服务器显示
sudo ufw status verbose
Status: inactive
和
$ ss -ltn
.
.
LISTEN 0 511 0.0.0.0:443 0.0.0.0:*
.
.
.
但从外部机器我得到
Nmap scan report for xx.xx.xx.xx
Host is up (0.023s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp closed smtp
80/tcp closed http
110/tcp closed pop3
143/tcp closed imap
443/tcp closed https
465/tcp closed smtps
587/tcp closed submission
993/tcp closed imaps
995/tcp closed pop3s
如果我发出
server:~$ sudo ufw disable
Firewall stopped and disabled on system startup
server:~$ sudo shutdown -r now
然后重新启动我得到
Nmap scan report for xx.xx.xx.xx
Host is up (0.011s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
正如预期的那样。这种情况持续了几分钟,然后某些东西又将端口关闭。UFW 仍然显示为“不活动”。
什么可能导致了这种行为?
根据端口关闭前的延迟,它可能与 如何修复重启后自动应用 netplan 配置不起作用? 和 netplan 生成器有关?
回复 mpboden,我立即担心 443,但 NMAP 在尝试通过 HTTPS 接口进行通信时显示端口要么打开,要么被过滤。我的 Netplan 配置是
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: no
addresses: [xx.xx.xx.xx/24]
routes:
- to: default
via: xx.xx.xx.xx
nameservers:
addresses: [8.8.8.8, 208.67.222.222]
我在日志文件中没有找到任何线索,但这可能是因为我未能发现一些重要的东西。
针对 Thomas Ward 的观点,我尝试过明确打开 UFW 中的端口,请参阅UFW 中的端口打开但仍然对外界关闭,但这并没有什么区别。因此,我将 UFW 设置为非活动状态,至少在我弄清楚这一点之前是这样。
延迟表明其他 Netplan 组件可能正在异步运行并更改端口配置。但是去哪里查找呢?
我已经设置了另一台正常工作的服务器以供比较。问题似乎与无法启动 systemd-networkd-wait-online.service 有关。对 postfix、dovecot 和 nginx 运行检查 (systemctl status) 时,这 3 个服务器均显示“警告:由于权限不足,某些日志文件未打开。”。正常工作的服务器没有此警告。我已开始浏览 /etc/postfix (etc) 文件夹中的文件以比较权限。在此处列出状态文件是否有帮助?
在比较物理(工作)服务器和(有问题的)虚拟服务器之间的 systemd-networkd-wait-online.service 之后,虚拟服务器包含以下行:
$ sudo systemctl edit systemd-networkd-wait-online.service
### Editing /etc/systemd/system/systemd-networkd-wait-online.service.d/override.conf
### Anything between here and the comment below will become the contents of the drop-in file
[Service]
ExecStart=
ExecStart=/usr/lib/systemd/systemd-networkd-wait-online -i enp0s3:degraded --timeout=30
### Edits below this comment will be discarded
物理服务器没有这些非注释行,所以我在虚拟服务器上删除了它们。它们已重新插入。
我还检查了 Netplan 配置:
$ sudo netplan --debug apply
** (generate:73362): DEBUG: 09:58:53.126: starting new processing pass
** (generate:73362): DEBUG: 09:58:53.127: eth0: adding new route
** (generate:73362): DEBUG: 09:58:53.127: We have some netdefs, pass them through a final round of validation
** (generate:73362): DEBUG: 09:58:53.127: eth0: setting default backend to 1
** (generate:73362): DEBUG: 09:58:53.127: Configuration is valid
** (generate:73362): DEBUG: 09:58:53.128: Generating output files..
** (generate:73362): DEBUG: 09:58:53.128: Open vSwitch: definition eth0 is not for us (backend 1)
** (generate:73362): DEBUG: 09:58:53.128: NetworkManager: definition eth0 is not for us (backend 1)
DEBUG:netplan generated networkd configuration changed, reloading networkd
DEBUG:Cannot call Open vSwitch: Cannot apply OVS cleanup: ovsdb-server.service is 'not-found'.
DEBUG:no netplan generated NM configuration exists
** (process:73361): DEBUG: 09:58:53.607: starting new processing pass
** (process:73361): DEBUG: 09:58:53.608: eth0: adding new route
** (process:73361): DEBUG: 09:58:53.608: We have some netdefs, pass them through a final round of validation
** (process:73361): DEBUG: 09:58:53.608: eth0: setting default backend to 1
** (process:73361): DEBUG: 09:58:53.608: Configuration is valid
DEBUG:Merged config:
b''
DEBUG:Link changes: {}
DEBUG:netplan triggering .link rules for lo
DEBUG:netplan triggering .link rules for eth0
** (process:73361): DEBUG: 09:58:53.749: starting new processing pass
** (process:73361): DEBUG: 09:58:53.750: eth0: adding new route
** (process:73361): DEBUG: 09:58:53.751: We have some netdefs, pass them through a final round of validation
** (process:73361): DEBUG: 09:58:53.751: eth0: setting default backend to 1
** (process:73361): DEBUG: 09:58:53.751: Configuration is valid
DEBUG:Merged config:
b''
然后
$ sudo networkctl status
● Interfaces: 1, 2
State: routable
Online state: online
Address: xx.xx.xx.xx on eth0
xx:xx:xx:xx:xx:xx on eth0
Gateway: xx.xx.xx.xx on eth0
DNS: 8.8.8.8
208.67.222.222
Nov 25 17:00:42 example.com systemd-networkd[667]: eth0: found matching network '/run/systemd/network/10-netplan-eth0.network', based on potentially unpredictable interface name.
Nov 25 17:00:42 example.com systemd[1]: Starting systemd-networkd-wait-online.service - Wait for Network to be Configured...
Nov 25 17:00:43 example.com systemd-networkd[667]: eth0: Gained IPv6LL
Nov 25 17:01:12 example.com systemd[1]: systemd-networkd-wait-online.service: Main process exited, code=exited, status=1/FAILURE
Nov 25 17:01:12 example.com systemd[1]: systemd-networkd-wait-online.service: Failed with result 'exit-code'.
Nov 25 17:01:12 example.com systemd[1]: Failed to start systemd-networkd-wait-online.service - Wait for Network to be Configured.
Nov 25 17:35:12 example.com systemd[1]: Starting systemd-networkd-wait-online.service - Wait for Network to be Configured...
Nov 25 17:35:42 example.com systemd[1]: systemd-networkd-wait-online.service: Main process exited, code=exited, status=1/FAILURE
Nov 25 17:35:42 example.com systemd[1]: systemd-networkd-wait-online.service: Failed with result 'exit-code'.
Nov 25 17:35:42 example.com systemd[1]: Failed to start systemd-networkd-wait-online.service - Wait for Network to be Configured.
然后检查 Postfix、Dovecot 和 nginx
$ systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; preset: enabled)
Active: active (exited) since Mon 2024-11-25 17:55:25 UTC; 20min ago
Docs: man:postfix(1)
Process: 1875 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 1875 (code=exited, status=0/SUCCESS)
CPU: 4ms
Warning: some journal files were not opened due to insufficient permissions.
$ systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-11-25 17:55:20 UTC; 23min ago
Docs: man:dovecot(1)
https://doc.dovecot.org/
Main PID: 719 (dovecot)
Status: "v2.3.21 (47349e2482) running"
Tasks: 17 (limit: 3481)
Memory: 33.8M (peak: 40.8M)
CPU: 552ms
CGroup: /system.slice/dovecot.service
├─ 719 /usr/sbin/dovecot -F
├─ 732 dovecot/lmtp -L
├─ 733 dovecot/anvil
├─ 734 dovecot/log
├─ 735 dovecot/lmtp -L
├─ 736 dovecot/lmtp -L
├─ 737 dovecot/lmtp -L
├─ 738 dovecot/lmtp -L
├─ 740 dovecot/config
├─ 747 dovecot/stats
├─4383 dovecot/auth
├─4387 dovecot/auth -w
├─4388 dovecot/auth -w
├─4395 dovecot/dict
├─4396 dovecot/dict
├─4407 dovecot/imap-login
└─4413 dovecot/imap
Warning: some journal files were not opened due to insufficient permissions.
$ systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-11-25 17:55:20 UTC; 25min ago
Docs: man:nginx(8)
Process: 741 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 838 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 859 (nginx)
Tasks: 2 (limit: 3481)
Memory: 5.0M (peak: 5.3M)
CPU: 409ms
CGroup: /system.slice/nginx.service
├─859 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
└─860 "nginx: worker process"
Warning: some journal files were not opened due to insufficient permissions.
最后,我发现系统工作正常,除非我使用 Roundcube,它会再次关闭端口。如果我仅通过 imap 访问电子邮件,端口将保持打开状态。
我收回刚才的话。它打开了一段时间,然后又关闭了。事实上,几个小时后它就来了又去。这可能是两个试图控制网络的组件之间的冲突吗?
我不知道 systemd-networkd-wait-online.service 的覆盖文件来自哪里。我尝试删除三行活动行,但下次查看时它们又重新出现。状态文件显示:
$ networkctl status eth0
● 2: eth0
Link File: /usr/lib/systemd/network/99-default.link
Network File: /run/systemd/network/10-netplan-eth0.network
State: routable (configured)
Online state: online
Type: ether
Path: pci-0000:00:12.0
Driver: virtio_net
Vendor: Red Hat, Inc.
Model: Virtio network device
Alternative Names: enp0s18
ens18
Hardware Address: 00:16:3e:0b:31:2b (Xensource, Inc.)
MTU: 1500 (min: 68, max: 65535)
QDisc: fq_codel
IPv6 Address Generation Mode: eui64
Number of Queues (Tx/Rx): 1/1
Auto negotiation: no
Address: xx.xx.xx.xx
xx:xx:xx:xx:xx:xx
Gateway: xx.xx.xx.xx
DNS: 8.8.8.8
208.67.222.222
Activation Policy: up
Required For Online: yes
DHCP6 Client DUID: DUID-EN/Vendor:0000ab11e96dc6ba966458ee
Connected To: kv0632-185-127-18-185.localdomain.local on port d2:6f:9b:c0:5b:55 (tap2010i0)
和
$ networkctl status enp0s3
Interface "enp0s3" not found.
我已经用 eth0 修改了覆盖文件,因为我仍然无法删除这些行。它现在正在运行,但时间会证明一切。
这已解决问题。非常感谢 mpboden,尤其是他对下面给出的问题的清晰解释。
我说得太早了。启动才 24 个小时,所有端口就又全部关闭了。
从另一台机器:
% nmap taid.info
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-28 16:22 GMT
Nmap scan report for example.com (xx.xx.xx.xx)
Host is up (0.021s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp closed smtp
80/tcp closed http
110/tcp closed pop3
143/tcp closed imap
443/tcp closed https
465/tcp closed smtps
587/tcp closed submission
993/tcp closed imaps
995/tcp closed pop3s
Nmap done: 1 IP address (1 host up) scanned in 35.61 seconds
并从虚拟服务器
$ networkctl status
● Interfaces: 2, 1
State: routable
Online state: online
Address: xx.xx.xx.xx on eth0
xx:xx:xx:xx:xx:xx on eth0
Gateway: xx.xx.xx.xx on eth0
xx:xx:xx:xx:xx:xx on eth0
DNS: 8.8.8.8
208.67.222.222
唉……