Category Archives: Linux

CentOS 7 網路無法設定IP

先前安裝系統的時候,由於還不知道網路環境,當時是採用 DHCP 的模式先將網路啟動以便進行網路校時,這樣的設定在桌面環境是沒有問題的,但是對伺服器來說,並不是那麼 OK,因為伺服器通常需要一組固定的 IP 和 hostaname 讓外界固定來拜訪,而預載的 NetWorkManager 在個人的經驗中常常會不大正常(這個版本正常多了 XD)所以本文會說明如何關掉原有的 NetWorkManager,採並用原有的 network 指令來啟動網路。

首先關掉 NetworkManager (開始採用新的指令):

1
2
3
4
#systemctl disable NetworkManager.service
#systemctl stop NetworkManager.service
#chkconfig network on #因為network不是標準的 systemd 的程序
#systemctl stop network

接下來請編輯 /etc/sysconfig/network-scripts/ifcfg-你的網路卡編號(請利用 vim 編輯器,或是 gedit),修改內容如下:

原有的內容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME="eno16777736"
UUID=3d7877b7-24e0-40fc-ac67-f2552f3ef664
ONBOOT=yes
HWADDR=00:0C:29:5B:84:12

修改成以下內容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
TYPE="Ethernet"
BOOTPROTO=none       #改成none
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
NAME="eno16777736"
UUID="b06e0794-79ce-4d9d-9703-4eff3dc7e38d"
ONBOOT="yes"
HWADDR=00:0C:29:5B:84:12
IPADDR0=192.168.1.40 #這台伺服器的固定IP,實際IP依照自有環境
GATEWAY=192.168.1.2  #這台伺服器的gateway 請注意不要加「0」
DNS1=168.95.1.1      #這台伺服器的DNS(中華電信DNS IP,也可以加在 /etc/resolv.conf 中)

刪掉由 NetworkManager 所產生的設定檔,並啟動網路:

1
2
#rm -rf /etc/systemconfig/network-scripts/ifcfg-自動使用乙太網路
#systemctl start network

完成之後存檔,重開機一次測試看能不能正常的上網~

 

 

refer from : http://blog.kevinlinul.idv.tw/?p=90

使用 openssl 產生 SSL 電子證書

產生 SSL 電子證書很多方法,而使用 openssl 屬較手動的方法,繁瑣但適用於所有 GNU/LinuxUnix 平台。

目錄

基本流程

產生金鑰對 (public-private key pair)

首先您需要產生一對 RSA 金鑰對 (public-private key pair),可以使命令「openssl -out 私鑰檔案 genrsa [-des|des3|-idea] 大小」:

$ openssl genrsa -out www.example.com.key -des3 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..............................................................................+++
e is 65537 (0x10001)
Enter pass phrase for www.example.com.key: Don't show my passphrase
Verifying - Enter pass phrase for www.example.com.key: Don't show my passphrase

命令中最尾的參數表示要產生的金鑰對位元大小,以現今電腦的效能,建議使用 2048 位元會較安全。此外,在命令中因為加入選項 -des3, 產生出來的金鑰對會以 TriDES 加密來加強私鑰 (private key) 的安全性。您亦可以使用 -des 或 -idea 取代 -des3 來改用 DES 或 IDEA 對私鑰進行加密。(當然 DES 加密演算法大弱,絕不應使用) 加密了的私鑰在會次被使用時都會輸入密碼解密才可以使用,會較安全。如果您的電子證書是用在 Apache HTTTd 等伺服器中,每次啟動伺服器時都要輸入密碼一次。不少人會選擇省去選項 -des3 來產生一個不被加密的私鑰 (即是不會問您輸入密碼,也不會把私鑰加密) :

$ openssl genrsa -out www.example.com.key 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..............................................................................+++
e is 65537 (0x10001)

這個命令和上面幾乎沒有分別,只是這次不會問您輸入密碼了。這方法當然免卻每次要輸入密碼的麻煩,但如果別人只要抄走有私鑰檔案就可以較易真接盜用電子證書,非常危險。

完成後,新金鑰會以 PKCS#1 PEM 格式記錄在金鑰檔案 www.example.com.key 中 (雖然金鑰的標頭為 RSA PRIVATE KEY,意思為 RSA 私鑰,但內容載有產生對應公鑰 public key 的資料):

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5xcy3JVptzucvBQI2tzK9HkQ7pVhdqf4x8dID9K2z6A5W4Uc
/NByWOq80EGSetm/hZxj/JIPwOoOSlV2DZx423wtM8xfV9/7nkdiE1FwBVOZTprN
l1KgHY9rvcakNFclUU1xyTcLRWATrAKq4YU8TiR7yuvsNy0CxsZNX7zJszuX8aoQ
SbKTr3ckhJveDXPGGu96TebE146MRuFo1LNZ42AjVVXF0U5RqNtzdRJjxwjgMnQ5
1xEVb4InkW2Zgy/bJDYwCuQcgvswH+43EEou/eOLPeZDp8j2VZjLk/MDcDatEDFQ
Ayd8T3Cg+YSdYj/jLSEc17ZD0r5KSzRwYRa26QIDAQABAoIBAQDfTERib6ICY4D1
ICraSWV3zBB3ajMOdArqCH9ygrsRb5JdBAhZppYHo3OljOcc/JGbat4W7ZB5afE7
FM+JIXyLIbeQCNjMUeuSKwny/stO6lQGZ4Fnynhbd/21GGAND3RI1puvwheLBuab
XMyANL1sCMbx8vyC6GR5bJ7Rdtwz6fiyPOvOBmZV920R3ZnuScI4kWwxz6dzwLP3
wzFVqozD8RiPdP5mWEmEXTDEProNEPqUA0D0ydQg+OwanrUUhavnDu1fvJ5VdWqV
K9HgHJ1PSWJEsiRe9PkDmcFrjyLdgf36pl61CTOGMyhWj7lq9zT3SQxOdtXe4Hsp
wfhKkbY9AoGBAPbPKUAIkDecHwTE5ZkVyQg7W9U6H4iPYowlOMfnntP5+arhq5cl
/CJnzIEd55tgIWgJCjtptG1qodJU52kFL0rR4Z1ce9dRPSMY2Z7hEPl1PkMeRooo
Wr8+FrXhakONQ3Kro0cH5qMkBekwXxFJ+ZQ29O+3EMLaR69iHPNi4lwjAoGBAO+y
MRIeh43qB985ps23yNDfL6FL69besKcNiuMyDc6GfBNg9j4hZVrPPiJjVDvHsqnc
RHiuO6MvXOT9atXAyyX6/h00CVoU5mxbEe4mEbpvivqaosW64eAkqdSj2HInkG9u
lTeZGPZwleK9EDgTmVZ7lFEoBgRxNSUEkXJPfLuDAoGAArkIWHd/t81WHkRZ0BWI
cTnOaozImkYSrT8f4Dyy6N3CHlt8/B7kKDEC9Y2x52npFG+9GCizX92kSWC8aNEw
0197YLQLfbWcug1lITaUbFwZwr3Lw2xsi92QfJMvC+28B8DS/U6eAcC8+/SXp+Ys
BbGRhC991Nh5n/qyHRFDNAcCgYBmH1NM1vkF+5nS/2sT5qOGajCO1hvq9gHpipmL
5r1/KkkesIb5PZ1DLVzZpdwzhAeY2yHJEOKTyhAX9+hWncdvrRorMwpw+Mqbi8l9
33ZaKj/aOZv0BoVJzBUXZZ9IM5cUAtdMUswR4zHY4phQa/k+oXQ1h4nYxqrP1Lxr
KXaJJQKBgQDVLfOLgH6sN+I1f4B3/n6pOgjiosQd1c1K6NyjD3E8lnL5W/wI0CfP
SK80ZkUwAlrGFMpL9K/qyswc0ejaswvQGTcra0V0DVzfZ4DhCOYC3shAGV3lsWzD
VQAG4iwwf61wNBVuXBKl6xBIIzu1JoqB+in+IJ3MP4u0y9IF3VV+/w==
-----END RSA PRIVATE KEY-----

以上金鑰是沒有被加密。加密的金鑰會有「Proc-Type: 4,ENCRYPTED

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B5400D0F10CAF72B

Gkxpb1n8M3cQBH3J/l5ZzLE9GyYE+nv9+2Fk7jSJZM0W+ek/aeQYnE37OaGrabRD
1hCk0j5BoH8xa5hlwxpHM48cJbLsFmuMlVag1FTdtPozXNRBLHCNWUFWq9qQoa6K
IY/efrkzTx5WFXmidroKUPAA1kTXNjpSAjO0kLO/sqwS57bTMKb4cwxu21p3Crcy
Z1BBUPHaRdunK2Q/Gj05NO0ARX0VScKbr/sY9tt/D/viH89zwBAKmGVr3+RQlUP0
Lx9vhKK2S+Ut+GvWYPzitgrlE1txHywe9pLJ/LzJEZsBVm7M4HmNq1yoeoy95jo+
p974utG9MerlS84Wy5T4neNn2LamWCOFgOTIOfNfpvkan4KTEw5okvHCWQ+/pHcT
wDionMztMaExj4XHbtutUMVZVjsNhR3zzuZ62KQNkwLUYNHTGCKwZYc+5JJ5dWMU
dZyxHqJ+qcO4UTFoMKT1HxoYZUWhH6V2keS0NaULLXuJq5D4GZkIAl3Zb/4u83kK
0siqoIdd/97s5PnSKfsrztF8zZHxrFl8CGQp6iht+tI68m9t1WONSQ38nxzDZlWu
TA6vX78229dOs+HiQzwRYayPvC541re9ZQuj49aVWcU1oi8JcdvxlbV7cXl/Z6JB
j6PL481fiRiCSBW4WxmfNldrlNRXa7nULmwaM9dyFENE0zmWJaMfmnTAQAtZ3Bhq
p4rtRG9sDIbNvF3HPmPy/cRfwFWFE/KiW4yhodrmj6IgrB+VwK7Es7UraFWhclZk
wsVVQNAEn/22RlyHvkpN9bMuXQuiBPMPsP51TnXsy0SBBgE1bUpOxkIG3EbQ4W5Z
aPVki2Aa8gJQ5UeRv1ob4M3nkYeJjEUwo4qV5PyQnAlaEiqTCKKuFa4IdHxOeAlB
PIs5bsKMZwsBFrWGyy15W7LnHbhodvHhAyw3bGOZ0hwODAKOAaXgvN1K1fO/TqNa
DCTCm1OfDuZQVU1cS2n/HTxAOptD0XLBWQKUuQ7HX2BVbifsjAhnYIkzxq2yLafv
MRxPfrYTh1frZkUYYkQ6C9m0vkhl0vqBygeBuQLK6mMaP09uOggJklLg86roAVn9
5ZGlc5tWqnlmDqusFDvUOGJVfPTGDI7aFYn9AGS2nDGT16pGDnUgQwpMZX2Tp0Pm
iafdI8jKQjWLyDsVInfl19QytOwM2sAWegsgt2FG+KhvTQyuUbOBX+fmKaxCkL4R
3Op6nFYFGHJGiTrkNThRWDpzXYnoyl38S6rV6cmA1Oq6oD1O0W9qF1l4oHP1aKty
iMTml39UepVtvG88b/MN8sK3LsCFZ5B7flNLjnRgiyeI8rBi9Bj+TUeE/wFYUFqP
Jm6u0fWuN/RPyXaMBtfzGpBUk7If9lSpVj/36iVYxn5OCcgtncUk8JE8+hXEoV7J
InD+CAlA/RQhxgHRXUQmBJpKHhBmMFph8OwTTExLrEzO+VlxHqaXPUYfM9XaMYQl
KBzZUPMvI9TkEzVD00OH6J1J7tr8fDCvK/OoIFQQVZ1sbK+jJpEIwPlsu/gPNyWQ
EdRUrYSRJhocOwtym4+Bvq6Bed4QXeIQJbYv4t3nOQywXNzkotJ46ODAcPoa5aAA
-----END RSA PRIVATE KEY-----

產生 Certificate Signing Request (CSR)

產生了金鑰對後,您需要有公信加的人當中的公鑰 (public key) 為您所有。所以您需要產生這個公鑰的 Certificate Signing Request (CSR) 給一個 Certificate Authority (CA) 簽署才可以使用。要產生 CSR ,可以使用命令「openssl req -new -key 金鑰檔案 > CSR檔案」:

$ openssl req -new -key www.example.com.key > www.example.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HK
State or Province Name (full name) [Some-State]:HKSAR
Locality Name (eg, city) []:Hong Kong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Ltd.
Organizational Unit Name (eg, section) []:Web Team
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:webmaster@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc123
An optional company name []:Example Ltd.

以上命令會詢問要產生電子證書的資料並由金鑰檔案抽出有關公鑰並產生 CSR。記謹 Common Name 必須填上將會使用此電子證書網站的全名 (FQDN, Full Qualified Domain Name),填錯了又已送去 CA 將會浪費金錢。

產生出來的 CSR 會放在 www.example.com.csr 中:

-----BEGIN CERTIFICATE REQUEST-----
MIICEDCCAXkCAQAwgZsxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIEwVIS1NBUjESMBAG
A1UEBxMJSG9uZyBLb25nMRUwEwYDVQQKEwxFeGFtcGxlIEx0ZC4xETAPBgNVBAsT
CFdlYiBUZWFtMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20xJDAiBgkqhkiG9w0B
CQEWFXdlYm1hc3RlckBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAucC/Gxdd1v/5kGMLr6OoQN3BHFsFuAaNRUZs4/JITGaw7fhKwOyZux04
AUQTjeyVTfH6TTX1A0GWISwfKkqxNg4jx9LOqiecMnjKH/fzBvCZE1iNhz1mtkPh
pxWV9K6keuf6nuLXfU/NSWd9EY/VWUQX0PUDmjynrVYI29Zl1sMCAwEAAaA0MBUG
CSqGSIb3DQEJBzEIEwZhYmMxMjMwGwYJKoZIhvcNAQkCMQ4TDEV4YW1wbGUgTHRk
LjANBgkqhkiG9w0BAQQFAAOBgQAxdevQ9KuHhUf+XYHrDS04+yhesSmg2muC65mq
WHn9iIMQZIcWlcm5WtZZlamDnSxui8Utyh15U0cJDeIo8jebht+DDfC3BXc5LUaV
1TjbieB5gaM+oCNJFI3STC77ldwowCqgrbAQTpO3mx84M1gunJgGPKy/SHR3DwfN
Drzq2A==
-----END CERTIFICATE REQUEST-----

您只要把這個 CSR 檔案提交給 CA ,CA 核實您的資料後就會簽署並產生您的電子證書。

自簽 (Self-sign) 電子證書

如果您只是想做一張測試用的電子證書或不想花錢去找個 CA 簽署,您可以造一張自簽 (Self-signed) 的電子證書。當然這類電子證書沒有任何保證,大部份軟件遇到這證書會發出警告,甚至不接收這類證書。要自簽電子證書可以使用命令「openssl req -x509 -days 有效日數 -key 金鑰檔案 -in CSR檔案 > 電子證書檔案」,例如:

$ openssl req -x509 -days 60 -key www.example.com.key -in www.example.com.csr > www.example.com.crt

完成後, 檔案 www.example.com.crt 就是自簽證書。

請參看

當你使用Cacti做為網管工具,有時會遇到圖的數據顯示不出來的情形

以下提供幾個方向進行問題查找
1.system utilities –>Rebuild poller cache
2.系统时间不准确,重新设置时间
3.图像没有生成,运行#/usr/bin/php /srv/www/htdocs/cacti/poller.php –force
4.权限问题,修改权限#chmod 777 -R /srv/www/htdocs/cacti/rra
5.数据库表有损坏,修复#mysqlcheck -ao cacti –auto-repair -uroot -p
6.重启snmpd服务#service snmpd restart

複製虛擬機Linux,網卡啟動失敗 Device eth0 does not seem to be present, delaying initialization

利用 VirtualBox 的"再製"功能,複製一台 Linux 虛擬主機,結果開機後發現網路卡未啟動,執行 ifup eth0 出現下列訊息。

 # ifup eth0
 
 Device eth0 does not seem to be present, delaying initialization.
 經查詢發現因為"再製"出來的虛擬機會變更新的 MAC Address,所以造成 Linux 判斷成另一張網卡,下列兩種方法任選一種就可以解決。

方法一:
 1) 我們可以先用下列指令查看系統目前抓到哪幾張網卡
 # cat /proc/net/dev
 Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 這裡可以發現網卡代號已經變成 eth1

 2) 編輯 /etc/udev/rules.d/70-persistent-net.rules
 # vi /etc/udev/rules.d/70-persistent-net.rules
# PCI device 0x8086:0x100e (e1000)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”08:00:27:64:f9:37″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth0″
# PCI device 0x8086:0x100e (e1000)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”08:00:27:64:f9:39″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth1″

 可以將 eth1 修改為 eth0,重新開機。

 3) 編輯 /etc/sysconfig/network-scripts/ifcfg-eth0
 # vi /etc/sysconfig/network-scripts/ifcfg-eth0
 將"HWADDR="參數修改成正確的 MAC Address,或刪除此參數,若沒有這個參數應該在上一個步驟重新開機後會自動啟動網卡。

 4) 修改完成後,就可以順利啟動網卡。
 # ifup eth0

方法二:
 1) 我們可以先用下列指令查看系統目前抓到哪幾張網卡
 # cat /proc/net/dev
 Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 這裡可以發現網卡代號已經變成 eth1

 2) 編輯 /etc/sysconfig/network-scripts/ifcfg-eth0
 # vi /etc/sysconfig/network-scripts/ifcfg-eth0
 DEVICE=eth0 -> 修改為 DEVICE=eth1
 HWADDR= -> 刪除或修改成正確的 MAC Address

 3) 因為裝置名稱已變更,所以 ifcfg-eth0 也要跟著更名
 # mv ifcfg-eth0 ifcfg-eth1

 4) 修改完成後,就可以順利啟動網卡。
 # ifup eth1

killing of MySQL Connections

Every so often I run into situation when I need to kill a lot of connections on MySQL server – for example hundreds of instances of some bad query is running making server unusable. Many people have special scripts which can take the user, source host or query as a parameter and perform the action. There is also a way to do it just using MySQL with a few commands:


mysql> select concat('KILL ',id,';') from information_schema.processlist where user='root' and Info is null;
+------------------------+
| concat('KILL ',id,';') |
+------------------------+
| KILL 3101; |
| KILL 2946; |
+------------------------+
2 rows in set (0.00 sec)
mysql> select concat('KILL ',id,';') from information_schema.processlist where user='root' and Info is null into outfile '/tmp/a.txt';
Query OK, 2 rows affected (0.00 sec)
mysql> source /tmp/a.txt;
Query OK, 0 rows affected (0.00 sec)

Show IP address of VM as console pre-login message

 

In case you didn’t know the pre-login message you see at a Linux console typically comes from /etc/issue

You can customize this file to alter the message with some escape codes that will show things like the current date and time, machine name and domain, kernel version, etc. But one thing you can’t easily display is the IP address of a machine. Showing the IP address is especially useful when building a virtual machine that will use DHCP, like the Ubuntu development VM I use on my Macbook Pro. This way I can start VMware Fusion, see the IP address of the VM and then login over SSH.

In order to get the IP address to show in /etc/issue I needed to write a custom script that will rewrite /etc/issue with the IP address when the network interface is brought up. The first step was writing a simple script that will output the current IP address when run (by looking at the output of ifconfig).

/sbin/ifconfig | grep "inet addr" | grep -v "127.0.0.1" | awk '{ print $2 }' | awk -F: '{ print $2 }'

The above script will run ifconfig and print out the IP address (after filtering out the localhost interface). I saved this script to /usr/local/bin/get-ip-address. In order to get this into /etc/issue I decided to first copy /etc/issue to/etc/issue-standard, then create the following script that when run will overwrite /etc/issue with the contents of /etc/issue-standard + IP address.

Debian/Ubuntu

Save the following script as /etc/network/if-up.d/show-ip-address

 #!/bin/sh if [ "$METHOD" = loopback ]; then exit 0 fi # Only run from ifup. if [ "$MODE" != start ]; then exit 0 fi cp /etc/issue-standard /etc/issue /usr/local/bin/get-ip-address >> /etc/issue echo "" >> /etc/issue 

and don’t forget to mark it executable.

RedHat/CentOS

Save the following script as /sbin/ifup-local

 #!/bin/sh if [ "$1" = lo ]; then exit 0 fi cp /etc/issue-standard /etc/issue /usr/local/bin/get-ip-address >> /etc/issue echo "" >> /etc/issue 

and don’t forget to mark it executable.

foword by

http://offbytwo.com/2008/05/09/show-ip-address-of-vm-as-console-pre-login-message.html