Docker软件源仓库及本地镜像仓库配置

 未分类  No Responses »
5 月 102018
 

Docker 软件源仓库及本地镜像仓库配置

https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
https://download.docker.com/linux/centos/docker-ce.repo

修改docker-ce软件源仓库配置文件(使用清华或科大镜像服务器)

sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
sed -i 's+download.docker.com+mirrors.ustc.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.rep

手动添加软件源仓库配置文件

[root@swarm1 ~]# vi /etc/yum.repos.d/docker-ce.repo
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-stable-debuginfo]
name=Docker CE Stable - Debuginfo $basearch
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/debug-$basearch/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-stable-source]
name=Docker CE Stable - Sources
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/source/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-edge]
name=Docker CE Edge - $basearch
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/$basearch/edge
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-edge-debuginfo]
name=Docker CE Edge - Debuginfo $basearch
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/debug-$basearch/edge
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-edge-source]
name=Docker CE Edge - Sources
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/source/edge
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-test]
name=Docker CE Test - $basearch
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-test-debuginfo]
name=Docker CE Test - Debuginfo $basearch
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/debug-$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-test-source]
name=Docker CE Test - Sources
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/source/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-nightly]
name=Docker CE Nightly - $basearch
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-nightly-debuginfo]
name=Docker CE Nightly - Debuginfo $basearch
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/debug-$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg

[docker-ce-nightly-source]
name=Docker CE Nightly - Sources
baseurl=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/7/source/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/docker-ce/linux/centos/gpg


安装

[root@swarm1 ~]# yum makecache
[root@swarm1 ~]# yum install docker-ce

版本和依赖

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
docker-ce x86_64 18.03.1.ce-1.el7.centos docker-ce-stable 35 M
Installing for dependencies:
audit-libs-python x86_64 2.8.1-3.el7 base 75 k
checkpolicy x86_64 2.5-6.el7 base 294 k
container-selinux noarch 2:2.55-1.el7 extras 34 k
libcgroup x86_64 0.41-15.el7 base 65 k
libseccomp x86_64 2.3.1-3.el7 base 56 k
libsemanage-python x86_64 2.5-11.el7 base 112 k
libtool-ltdl x86_64 2.4.2-22.el7_3 base 49 k
pigz x86_64 2.3.4-1.el7 epel 81 k
policycoreutils-python x86_64 2.5-22.el7 base 454 k
python-IPy noarch 0.75-6.el7 base 32 k
setools-libs x86_64 3.3.8-2.el7 base 619 k

Transaction Summary
================================================================================
Install 1 Package (+11 Dependent packages)

启用并启动docker服务

[root@swarm1 ~]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@swarm1 ~]# systemctl start docker
[root@swarm1 ~]#

增加本地公共仓库和本地非https镜像仓库的连接支持

[root@swarm1 ~]# vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn/"],
"insecure-registries": ["192.168.50.216:5000"]
}

Docker环境的CentOS7 防火墙服务处理

 未分类  No Responses »
5 月 072018
 

适用于docker环境的CentOS7 防火墙服务处理

停用默认的firewalld防火墙服务

[root@swarm1 ~]# systemctl stop firewalld
[root@swarm1 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@swarm1 ~]#

安装iptables防火墙服务

[root@swarm1 ~]# yum install iptables-services

版本和依赖

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
iptables-services x86_64 1.4.21-24.1.el7_5 updates 51 k
Updating for dependencies:
iptables x86_64 1.4.21-24.1.el7_5 updates 432 k

Transaction Summary
================================================================================
Install 1 Package
Upgrade ( 1 Dependent package)

启动iptables服务并设置为随系统启动

[root@swarm1 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@swarm1 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@swarm1 ~]# systemctl start iptables

查看iptables规则

[root@swarm1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@swarm1 ~]#

查看iptables规则默认配置文件

[root@swarm1 ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@swarm1 ~]#

curl测速脚本

 未分类  No Responses »
1 月 252018
  
curl -so /dev/null -w ' namelookup: %{time_namelookup}
 connect: %{time_connect}
 appconnect: %{time_appconnect}
 pretransfer: %{time_pretransfer}
 redirect: %{time_redirect}
 starttransfer: %{time_starttransfer}
 -------
 total: %{time_total}
' https://www.baidu.com/ -d 'a=b'

阿里云RAM访问控制单一OSS授权策略

 未分类  No Responses »
12 月 112017
 

 

 

 

 

{

  "Version": "1",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": "oss:ListBuckets",

      "Resource": "acs:oss:*:*:*"

    },

    {

      "Effect": "Allow",

      "Action": [

        "oss:*"

      ],

      "Resource": "acs:oss:*:*:oss-resource"

    },

    {

      "Effect": "Allow",

      "Action": [

        "oss:*"

      ],

      "Resource": "acs:oss:*:*:oss-resource/*"

    }

  ]

}

MySQL字符集参数的设置与查看

 未分类  No Responses »
11 月 082017
 

查看RDS实例字符集相关参数设置:show global variables like ‘%char%’;

查看当前会话字符集相关参数设置:show global variables like ‘coll%’;

查看实例支持的字符集:show character set;

查看实例支持的字符序:show collation;

查看表字符集设置:show create table table_name \G

查看数据库字符集设置:show create database database_name \G

查看存储过程字符集设置:show create procedure procedure_name \G 和 show procedure status \G

修改数据库的字符集:alter database db_name default charset utf8;

创建数据库时指定字符集:create database db_name character set utf8;

修改表字符集和字符序示例 alter table tab_name default charset utf8 collate utf8_general_ci;

 

字符序命名规则:

以字符序对应的字符集名称开头,以_ci(大小写不敏感)、_cs(大小写敏感)、_bin(按编码值比较)结尾。例如:当会话的collation_connction设置为字符序utf8_general_ci时,字符a和字符A是等价的;而当其设置为utf8_bin时,字符a和字符A是不等价的。

cipherli.st常用SSL加强安全配置示例

 未分类  No Responses »
10 月 052017
 

Apache
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
# Requires Apache >= 2.4.11
SSLSessionTickets Off

nginx
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Robots-Tag none;

Lighttpd
ssl.honor-cipher-order = “enable”
ssl.cipher-list = “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”
ssl.use-compression = “disable”
setenv.add-response-header = (
“Strict-Transport-Security” => “max-age=63072000; includeSubDomains; preload”,
“X-Frame-Options” => “DENY”,
“X-Content-Type-Options” => “nosniff”
)
ssl.use-sslv2 = “disable”
ssl.use-sslv3 = “disable”

 

haproxy
global
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH

frontend http-in
mode http
option httplog
option forwardfor
option http-server-close
option httpclose
bind 192.0.2.10:80
redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
option httplog
option forwardfor
option http-server-close
option httpclose
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
rspadd X-Frame-Options:\ DENY
bind 192.0.2.10:443 ssl crt /etc/haproxy/haproxy.pem ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3

Postfix
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file=/etc/ssl/postfix.cert
smtpd_tls_key_file=/etc/ssl/postfix.key
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = AES128+EECDH:AES128+EDH

Exim
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
tls_advertise_hosts = *
tls_require_ciphers = AES128+EECDH:AES128+EDH
openssl_options = +no_sslv2 +no_sslv3

ProFTPd
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol TLSv1.2
TLSRequired on
TLSCipherSuite AES128+EECDH:AES128+EDH
TLSRSACertificateFile /etc/proftpd.cert
TLSRSACertificateKeyFile /etc/proftpd.key

Dovecot
ssl = yes
ssl_cert = </etc/dovecot.cert
ssl_key = </etc/dovecot.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = AES128+EECDH:AES128+EDH
ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6
ssl_dh_parameters_length = 4096 # >Dovecot 2.2

MySQL
[mysqld]
ssl-ca=/etc/mysql-ssl/ca-cert.pem
ssl-cert=/etc/mysql-ssl/server-cert.pem
ssl-key=/etc/mysql-ssl/server-key.pem
ssl-cipher=AES128+EECDH:AES128+EDH
# replication:
GRANT REPLICATION SLAVE ON *.* to ‘repl’@’%’ REQUIRE SSL;
STOP SLAVE;
CHANGE MASTER MASTER_SSL=1,
MASTER_SSL_CA=’/etc/mysql-ssl/ca-cert.pem’,
MASTER_SSL_CERT=’/etc/mysql-ssl/client-cert.pem’,
MASTER_SSL_KEY=’/etc/mysql-ssl/client-key.pem’;
SHOW SLAVE STATUS\G;
START SLAVE;
SHOW SLAVE STATUS\G;

DirectAdmin
ssl_cipher=AES128+EECDH:AES128+EDH
SSL=1
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
carootcert=/usr/local/directadmin/conf/carootcert.pem

Postgresql
ssl = on
ssl_ciphers = ‘AES128+EECDH:AES128+EDH’
password_encryption = on

OpenSSH Server
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

OpenSSH Client
HashKnownHosts yes
Host github.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512
Host *
ConnectTimeout 30
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
ServerAliveInterval 10
ControlMaster auto
ControlPersist yes
ControlPath ~/.ssh/socket-%r@%h:%p

 Older Entries  Newer Entries