302009

利用DRBD+heartbeat实现NFS文件共享服务高可用

By leaf1981 | 2009/06/30 | Posted in 链接-其它 | Tagged , , , , | Comments (0)

利用DRBD+heartbeat实现NFS文件共享服务高可性
(By:梁利文 2009-06-30 QQ/MSN/E-mail:liangliwen#gmail.com)

一.目的:二台NFS服务器互为冗余(系统切换时间约为2x ms左右),保证NFS文件共享服务的可用

二.系统为CentOS 5.3
二个节点 主节点node1(192.168.10.111) 备用节点node2(192.168.10.112) 虚拟IP:192.168.10.113对外提供服务
node1 /etc/hosts如下
[root@node1 ha.d]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
192.168.10.111          node1
192.168.10.112          node2
127.0.0.1               node1 localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6

node2 /etc/hosts如下
[root@node2 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
192.168.10.111          node1
192.168.10.112          node2
127.0.0.1               node2 localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6

二台机将/dev/hda5互为镜相
二台机/etc/export相同
cat /etc/exports
/u1 192.168.10.0/255.255.255.0(rw,no_root_squash,no_all_squash,sync)
确定二台机的portmap服务为启动状态

三.所需软件:使用DRBD作为网络磁盘镜相,Heartbeart为管理由提供NFS服务及服务失效节点转移
安装所需的软件DRBD及Heartbeat均从http://mirror.centos.org/centos/5.3/extras/i386/RPMS 此目录下载,省去安装过程
drbd需要手动加载内核模块,安装好rpm执行如下指令
insmod /lib/modules/2.6.9-78.ELsmp/extra/drbd.ko
modprobe drbd

四.配置过程
1.DRBD配置 配置文件只有一个/etc/drbd.conf 二个内容都是一样
global { usage-count yes; }
common { syncer { rate 10M; } }
resource r0 {
protocol C;
startup {

}
disk {
on-io-error   detach;
}
net {
}
on node1 {
device    /dev/drbd0;
disk      /dev/hda5;
address   192.168.10.111:7789;
meta-disk internal;
}
on node2 {
device    /dev/drbd0;
disk      /dev/hda5;
address   192.168.10.112:7789;
meta-disk internal;
}
}

在二台机执行
drbdadm create-md r0 #创建ro的资源
/etc/init.d/drbd start #启动drbd
cat /proc/drbd #查看状态正常显示为
version: 8.0.13 (api:86/proto:86)
GIT-hash: ee3ad77563d2e87171a3da17cc002ddfd1677dbe build by buildsvn@c5-i386-build, 2008-10-02 13:31:44
0: cs:Connected st:Secondary/Primary ds:UpToDate/UpToDate C r—
ns:1848 nr:14357752 dw:14359600 dr:653 al:6 bm:901 lo:0 pe:0 ua:0 ap:0
resync: used:0/61 hits:928654 misses:1079 starving:0 dirty:0 changed:1079
act_log: used:0/127 hits:456 misses:6 starving:0 dirty:0 changed:6
在主服务器上执行
drbdsetup /dev/drbd0 primary -o #定义为主节点
mkfs.ext3 /dev/drbd0           #格式化
mount /dev/drbd0 /u1           #挂载
cat /proc/drbd #此时查看状态正常显示为
[root@node1 ha.d]# cat /proc/drbd
version: 8.0.13 (api:86/proto:86)
GIT-hash: ee3ad77563d2e87171a3da17cc002ddfd1677dbe build by buildsvn@c5-i386-build, 2008-10-02 13:31:44
0: cs:Connected st:Primary/Secondary ds:UpToDate/UpToDate C r—
ns:14357752 nr:1848 dw:361872 dr:13998555 al:264 bm:3581 lo:0 pe:0 ua:0 ap:0
resync: used:0/61 hits:928654 misses:1079 starving:0 dirty:0 changed:1079
act_log: used:0/127 hits:89742 misses:268 starving:0 dirty:4 changed:264

2.Heartbeat配置共涉及4个文件
/etc/ha.d/ha.cf
/etc/ha.d/haresources
/etc/ha.d/authkeys
/etc/ha.d/resource.d/killnfsd
二个节的配置的配置文件都是一样,文件内容如下
[root@node1 ha.d]# cat /etc/ha.d/ha.cf
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility     local0
keepalive 2
deadtime 20
bcast eth0
auto_failback off
node    node1 node2
[root@node1 ha.d]# cat /etc/ha.d/haresources
node1 IPaddr::192.168.10.113/24/eth0 drbddisk::r0 Filesystem::/dev/drbd0::/u1::ext3 killnfsd
[root@node1 ha.d]# cat /etc/ha.d/authkeys
auth 1
1 crc
#2 sha1 HI!
#3 md5 Hello!
[root@node1 ha.d]# cat /etc/ha.d/resource.d/killnfsd
killall -9 nfsd ; /etc/init.d/nfs restart ; exit 0

需要将 /etc/ha.d/authkeys设为600的权限 将cat /etc/ha.d/resource.d/killnfsd设为755的权限
chmod 600 /etc/ha.d/authkeys
chmod 755 /etc/ha.d/resource.d/killnfsd

为什么要使用这个killnfsd的原因,使用/etc/inin.d/nfs stop 不能停掉nfsd,所有我使用了killall -9 nfsd再加了一个/etc/inin.d/nfs restart确保万一
在二个节点启动Heartbeat即可,先在主节点启动
/etc/init.d/heartbeat start

五.测试
将192.168.10.113:/u1挂到本地/mnt
mount 192.168.10.113:/u1 /mnt
创建测试shell,二秒一个
cat /mnt/test.sh
while true
do
echo     —\> trying touch x : `date`
touch x
echo     \<—– done touch x : `date`
echo
sleep 2

done

将主节点的heartbeat服务停止,则备节点node2接管服务
/etc/init.d/heartbeat stop

测试脚本终端显示如下
—> trying touch x : ?t 6?? 30 15:17:16 CST 2009
<—– done touch x : ?t 6?? 30 15:17:16 CST 2009

—> trying touch x : ?t 6?? 30 15:17:19 CST 2009
<—– done touch x : ?t 6?? 30 15:17:19 CST 2009

—> trying touch x : ?t 6?? 30 15:17:21 CST 2009
<—– done touch x : ?t 6?? 30 15:17:21 CST 2009

—> trying touch x : ?t 6?? 30 15:17:23 CST 2009
<—– done touch x : ?t 6?? 30 15:17:23 CST 2009

—> trying touch x : ?t 6?? 30 15:17:25 CST 2009
<—– done touch x : ?t 6?? 30 15:17:25 CST 2009

—> trying touch x : ?t 6?? 30 15:17:27 CST 2009
touch: cannot touch ??x?ˉ: Stale NFS file handle
<—– done touch x : ?t 6?? 30 15:17:42 CST 2009

—> trying touch x : ?t 6?? 30 15:17:44 CST 2009
touch: cannot touch ??x?ˉ: Stale NFS file handle
<—– done touch x : ?t 6?? 30 15:17:44 CST 2009

—> trying touch x : ?t 6?? 30 15:17:46 CST 2009
touch: cannot touch ??x?ˉ: Stale NFS file handle
<—– done touch x : ?t 6?? 30 15:17:46 CST 2009

—> trying touch x : ?t 6?? 30 15:18:03 CST 2009
<—– done touch x : ?t 6?? 30 15:18:03 CST 2009

—> trying touch x : ?t 6?? 30 15:18:05 CST 2009
<—– done touch x : ?t 6?? 30 15:18:05 CST 2009

至此,测试已实现所需的功能

六.参考文档
Setup of High-Availability NFS servers (HA-NFS)  http://www.linux-ha.org/HaNFS
DRBD Heartbeat and NFS on Debian HowTo http://www.linux-ha.org/DRBD/NFS

By leaf1981 | Posted in 链接-其它 | Tagged , , , , | Comments (0)
172009

tomcat集群基于session同步服务器由iptables引出的故障

By leaf1981 | 2009/06/17 | Posted in 链接-其它 | Tagged , | Comments (0)

前端为apache 后端三个tomcat (都在一台机)由于已启用iptables
tomcat问的session无法同步

需要增加如下iptables规则
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A IN -o lo -j ACCEPT
即可
默认只有INPUT -o lo -j ACCEPT

By leaf1981 | Posted in 链接-其它 | Tagged , | Comments (0)
132009

二十八年过去,漂在深圳

By leaf1981 | 2009/06/13 | Posted in 生活点滴 | Comments (0)

周末,温热季节的深圳,还好是周末,一整天时间供享用

时间总是转眼即逝,就像这就是到了晚上的9点,就像转眼就是28年过去,就像已是四处漂泊的第9个岁头,还好,过去总会过去,来的就总是来了

还好,2009年有一份工作,节衣缩食地想积蓄点什么………….

二十八年过去,过去确实不再重要,以后,以后才是需要真正思考的,可是能思考什么了,抱怨自我,抱怨环境,抱怨不公司的社会,想一想有什么意思呢! 愤怒青年………

是的,需要做出一些改变了,改变不别人,改变目前的处境,那么我可以改变自已吗!

协助妹在这边的拖鞋地摊,发现真是人生百态,自已经营自已 赚钱很难

Python/Oracle的学习进展,很多时候自已怀疑自已的能力,尤其是Python ………..

自已经营自已,虽是一个地摊,赚钱很难,但是还是能够协助能够一天三四十块地赚到,虽然很辛苦
Python,写程序对于一个非计算机专业的系统管理员来说,在变量,表达式,循环云里雾里,但是开始能够用python写一些脚本解决工作中的一些问题了

漂在深圳,从一家公司到另一家公司,来了去,就是漂的感觉。内心总想找一个长期发展的工作,或者自已的事情,强压下的工程师,左右自已的除浮躁的心态外,更多的环境所迫. 什么事情只有亲自体会后,才会明白。还好,体验过多次失去工作后的心情,此时在危机四起的今天,在深圳,我有这份工作。我对这个城市心怀感激。今日的漂泊,其实更多期待的是停下生根发芽!

此字,1981年老历5月21日至2009年老历5月21日的28年LOG

By leaf1981 | Posted in 生活点滴 | Comments (0)
082009

透明DNS解译设定限制网络访问(Linux+iptables+bind)

By leaf1981 | 2009/06/08 | Posted in 链接-其它 | Tagged , , , | Comments (0)

实现目的
1.linux网关用iptables配置DNS拦截,记录全部机器的DNS请求(什么时候上了什么网站)
2.利用DNS欺骗禁止用户防问部分网站 将需禁止的网站域名指向一个错误的IP地址

方法
1.将所有进入网关的DNS请求,都转向本机的53端口,这样,既使内网PC使了其它的DNS服务器,最终也是由网关解析。
一条iptables的指令即可
iptables -t nat -A PREROUTING -p udp –dport 53 -j REDIRECT –to-port 53

2.DNS设置
bind的设置文件named.conf,设定将请示转发到ISP的DNS,比如说深圳电信的DNS服务器202.96.128.68; 202.96.134.133
设定要禁止用户防问网站test.com
设定查询记录记在/var/named/query.log,查看此记录可以看到用户上了那些网站
记得将目录/var/named的属主改成named chown -R named:named /var/named 否则无法生成/var/named/query.log

[root@gw ~]# cat /etc/named.conf
// Default named.conf generated by install of bind-9.2.4-30.el4

options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
forwarders { 202.96.128.68; 202.96.134.133; };
};

zone “test.com” IN {
type master;
file “test.com.zone”;
};

logging{
channel query_log {
file “query.log” versions 3 size 20m;
severity info;
print-time yes;
print-category   yes;
};
category queries {
query_log;
};
};

域指定文件将*.test.com指向127.0.0.1
cat /var/named/test.com.zone
$ttl    1D
@               IN SOA  test.com.  root.test.com. (

1053891162
3H
15M
1W
1D )

IN NS          test.com.
IN MX    5    test.com.
www                IN A          127.0.0.1
*                  IN A          127.0.0.1

启动bind
/etc/init.d/named start

执行IP转发
iptables -t nat -A PREROUTING -p udp –dport 53 -j REDIRECT –to-port 53

看看日志如下
[root@gw ~]# !ta
tail -f /var/named/query.log
Jun 08 16:46:18.930 queries: client 192.168.10.193#55856: query: updatem.360safe.com IN A
Jun 08 16:46:19.311 queries: client 192.168.10.182#61239: query: policy.store.qq.com IN A
Jun 08 16:46:20.329 queries: client 192.168.10.182#54165: query: route.store.qq.com IN A
Jun 08 16:46:20.784 queries: client 192.168.10.182#65321: query: xanewp.photo.qq.com IN A
Jun 08 16:46:20.790 queries: client 192.168.10.182#58162: query: app.photo.qq.com IN A
Jun 08 16:46:21.089 queries: client 192.168.10.177#65300: query: www.microsoft.com IN A
Jun 08 16:46:22.939 queries: client 192.168.10.182#64573: query: s21.photo.store.qq.com IN A
Jun 08 16:46:23.182 queries: client 192.168.10.182#52749: query: s17.photo.store.qq.com IN A
Jun 08 16:46:23.266 queries: client 192.168.10.204#51395: query: user.qzone.qq.com IN A
Jun 08 16:46:24.440 queries: client 192.168.10.204#56676: query: pingfore.qq.com IN A
Jun 08 16:46:24.770 queries: client 192.168.10.204#57851: query: users.qzone.qq.com IN A
Jun 08 16:46:24.839 queries: client 192.168.10.204#50360: query: base.qzone.qq.com IN A
Jun 08 16:46:24.843 queries: client 192.168.10.204#61001: query: taotao.qq.com IN A
Jun 08 16:46:24.883 queries: client 192.168.10.204#53403: query: ic.qzone.qq.com IN A
Jun 08 16:46:25.176 queries: client 192.168.10.204#64821: query: qlogo4.store.qq.com IN A
Jun 08 16:46:25.426 queries: client 192.168.10.204#60886: query: g.qzone.qq.com IN A
Jun 08 16:46:26.435 queries: client 192.168.10.204#60875: query: vip.qzone.qq.com IN A
Jun 08 16:46:26.730 queries: client 192.168.10.204#53668: query: cityapi.qzone.qq.com IN A
Jun 08 16:46:27.227 queries: client 192.168.10.204#61486: query: daren4.store.qq.com IN A
Jun 08 16:46:27.235 queries: client 192.168.10.197#55670: query: profile.qshop.qq.com IN A
Jun 08 16:46:27.335 queries: client 192.168.10.204#64822: query: broadcast.qq.com IN A
Jun 08 16:46:27.626 queries: client 192.168.10.202#56066: query: qzone-client.qq.com IN A

在客户端测试结果,我的NB的DNS是设为202.96.128.68
C:\Documents and Settings\li>nslookup www.test.com
*** Can’t find server name for address 202.96.128.68: Non-existent domain
*** Can’t find server name for address 202.96.134.133: Non-existent domain
*** Default servers are not available
Server:  UnKnown
Address:  202.96.128.68

Name:    www.test.net
Address:  127.0.0.1

C:\Documents and Settings\li>nslookup 12134.test.com
*** Can’t find server name for address 202.96.128.68: Non-existent domain
*** Can’t find server name for address 202.96.134.133: Non-existent domain
*** Default servers are not available
Server:  UnKnown
Address:  202.96.128.68

Name:    12134.test.com
Address:  127.0.0.1

By leaf1981 | Posted in 链接-其它 | Tagged , , , | Comments (0)
022009

Nginx-0.7.59安装方法

By leaf1981 | 2009/06/02 | Posted in Linux系统管理 | Tagged , | Comments (0)

非常规的nginx-0.7.59安装方法
1.安装前下载pcre和openssl
比如下载在/opt/software/下,解压编译执行./configure及make 后,无需执行make install

再解压nginx,执行
./configure –prefix=/usr/local/nginx –user=nobody –group=nobody –with-pcre=/opt/software/pcre-7.6 –with-http_stub_status_module –with-openssl=/opt/software/openssl-0.9.8k –with-http_ssl_module

谨此文指明make install失败的同学. 我花了近3小时找出此法

By leaf1981 | Posted in Linux系统管理 | Tagged , | Comments (0)
012009

Ubuntu基于Samba及CUPS共享打印机

By leaf1981 | 2009/06/01 | Posted in Linux系统管理 | Tagged , , | Comments (0)

起因,公司的网络打印服务器(硬件的)用了N年后,给历一次停电后,坏了,同事都无法打印,于是将这个打印机搬到这个做文件服务器的Ubuntu8.0.4的机器边上,用一条USB线,将这个HP1200的打印机接上。

实现PC机无需用户及密码即可添加到这个打印机.操作步骤如下:

1.Samba服务器conf设定
配置文件为/etc/cups/cupsd.conf 加入如下几行
printcap name = cups
printing = cups
security = share

# make sure [printers] section looks like this
[printers]
browseable = yes
printable = yes
public = yes
create mode = 0700
guest only = yes
use client driver = yes
path = /tmp

2.CUPS服务器设定
配置文件为/etc/cups/cupsd.conf 文件内容如下,我的打印服务器IP为192.168.10.101
LogLevel warning
SystemGroup lpadmin
Listen 192.168.10.101:631
Listen /var/run/cups/cups.sock
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseAddress @LOCAL
DefaultAuthType Basic
<Location />
Order allow,deny
Allow From 192.168.10.*
</Location>
<Location /admin>
Order allow,deny
Allow From 192.168.10.*
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
Allow From 192.168.10.*
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow From 192.168.10.*
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow From 192.168.10.*
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
Allow From 192.168.10.*
</Limit>
<Limit All>
Order deny,allow
Allow From 192.168.10.*
</Limit>
</Policy>

3.重启samba和cups服务
/etc/init.d/samba restart
/etc/init.d/cups restart

4.打开浏览器进入cups管理界面https://v5:631/admin添加打印机(注意要修改客户端hosts文件C:\WINDOWS\system32\drivers\etc\hosts)将主机名对好IP地址

5.客户输入\\192.168.10.101就可以看到,并添加网络打印机

By leaf1981 | Posted in Linux系统管理 | Tagged , , | Comments (0)
072009

编译内核2.6.29.1的传统方式-CentOS

By leaf1981 | 2009/04/07 | Posted in Linux系统管理 | Tagged , | Comments (0)

下载内核源代码我们下载需要的内核到/opt
cd /opt
wget http://www.cdnetworks.lkams.kernel.org/pub/linux/kernel/v2.6/linux-2.6.29.1.tar.bz2
然后解压内核源代码, 创建一个指向内核源代码目录的linux字符链接:
tar -jxf linux-2.6.29.1.tar.bz2
ln -s linux-2.6.29.1 linux
cd linux

配置内核使用当前工作内核的配置文件做为新内核配置文件的基础是一个很好的主意. 因此我们拷贝已存的配置文件到/opt/linux:
make mrproper
cp /boot/config-`uname -r` ./.config
然后运行make menuconfig然后我们看到内核的配置菜单. 移动绿色光标到 Load an Alternate Configuration File 行后选择.config文件做为配置文件
然后浏览内核配置菜单, 选择你需要的功能. 完成配置后, 选择Exit, 回答下面的问题(Do you wish to save your new kernel configuration? 你希望保存新的内核配置吗?), 选择Yes

构建和安装新的内核构建和安装新的内核, 执行下面的3个命令:
make all
make modules_install
make install

启用新内核,修改/etc/grub.conf
我的grub.conf如下
grep -v “#” /etc/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.29.1)
root (hd0,0)
kernel /vmlinuz-2.6.29.1 ro root=/dev/sda2
initrd /initrd-2.6.29.1.img
title CentOS (2.6.9-78.0.13.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-78.0.13.EL ro root=/dev/sda2
initrd /initrd-2.6.9-78.0.13.EL.img
title CentOS (2.6.9-78.0.8.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-78.0.8.EL ro root=/dev/sda2
initrd /initrd-2.6.9-78.0.8.EL.img
title CentOS (2.6.26)
root (hd0,0)
kernel /vmlinuz-2.6.26 ro root=LABEL=/
initrd /initrd-2.6.26.img
title CentOS (2.6.9-67.0.22.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-67.0.22.EL ro root=LABEL=/
initrd /initrd-2.6.9-67.0.22.EL.img

现在重新启动系统:shutdown -r now
如果一切进展顺利, 你的新内核正常工作. 你可以通过运行下面命令来检查你的新内核是否运行:uname -r 这将会显示如:2.6.29.1

By leaf1981 | Posted in Linux系统管理 | Tagged , | Comments (0)
032009

深圳通 消磁…………..

By leaf1981 | 2009/04/03 | Posted in 链接-其它 | Comments (0)

不到1年时间,就没磁了,一直使用保护膜下使用

更为恼火,深圳市区只有一人地方可以加磁

地点是 深圳中路2072号电子大厦一楼101室

By leaf1981 | Posted in 链接-其它 | Comments (0)
132009

2009我的牛年

By leaf1981 | 2009/03/13 | Posted in 链接-其它 | Comments (0)

2009 我想结婚 我的牛年

2009 我和老婆造“牛”成功

2009 我要赚钱 只为养”牛“

牛年我想信有会牛运!

By leaf1981 | Posted in 链接-其它 | Comments (0)
112009

Apache基于.htaccess用ACL一例

By leaf1981 | 2009/03/11 | Posted in Linux系统管理 | Tagged , | Comments (0)

实现目的:
如果用户来自信任的内网或指定IP,则无须用户验证,直接访问,如果用户来非指定IP则需要验证后访问,增加信任IP无需重启apache

操作方法
1.修改httpd.conf文件中的指定htdocs的选项,修改AllowOverride none为AllowOverride all 并重启apache
2.在htdocs目录下创建.htaccess 文件 内容如下
AuthName “TEST”
AuthType basic
Order deny,allow
Deny from all
Allow from 192.168.10 202.170.13.113 ###信任IP
AuthUserFile /opt/apache/htdocs/.pass ###用户验证文件,确保httpd用户可读
require valid-user
Satisfy any

3.生成/opt/apache/htdocs/.pass,创建二个用户username1和username2密码为password
/opt/apache/bin/htpasswd -cmb /opt/apache/htdocs/.pass username1 password
/opt/apache/bin/htpasswd -mb /opt/apache/htdocs/.pass username2 password

4.完成

By leaf1981 | Posted in Linux系统管理 | Tagged , | Comments (0)