June 2020 – 一江春水向东流

docker和harbor启动失败解决

今天启动harbor时启动失败，有几个问题，记录一下：重启docker，报错： msg=”Error starting daemon: layer does not exist” 解决：只能是清空docker数据目录了，实际上官方还提供了一个略微安全的删除脚本：

#!/bin/sh
set -e

dir="$1"

if [ -z "$dir" ]; then
	{
		echo 'This script is for destroying old /var/lib/docker directories more safely than'
		echo '  "rm -rf", which can cause data loss or other serious issues.'
		echo
		echo "usage: $0 directory"
		echo "   ie: $0 /var/lib/docker"
	} >&2
	exit 1
fi

if [ "$(id -u)" != 0 ]; then
	echo >&2 "error: $0 must be run as root"
	exit 1
fi

if [ ! -d "$dir" ]; then
	echo >&2 "error: $dir is not a directory"
	exit 1
fi

dir="$(readlink -f "$dir")"

echo
echo "Nuking $dir ..."
echo '  (if this is wrong, press Ctrl+C NOW!)'
echo

( set -x; sleep 10 )
echo

dir_in_dir() {
	inner="$1"
	outer="$2"
	[ "${inner#$outer}" != "$inner" ]
}

# let's start by unmounting any submounts in $dir
#   (like -v /home:... for example - DON'T DELETE MY HOME DIRECTORY BRU!)
for mount in $(awk '{ print $5 }' /proc/self/mountinfo); do
	mount="$(readlink -f "$mount" || true)"
	if dir_in_dir "$mount" "$dir"; then
		( set -x; umount -f "$mount" )
	fi
done

# now, let's go destroy individual btrfs subvolumes, if any exist
if command -v btrfs > /dev/null 2>&1; then
	root="$(df "$dir" | awk 'NR>1 { print $NF }')"
	root="${root#/}" # if root is "/", we want it to become ""
	for subvol in $(btrfs subvolume list -o "$root/" 2>/dev/null | awk -F' path ' '{ print $2 }' | sort -r); do
		subvolDir="$root/$subvol"
		if dir_in_dir "$subvolDir" "$dir"; then
			( set -x; btrfs subvolume delete "$subvolDir" )
		fi
	done
fi

# finally, DESTROY ALL THINGS
( set -x; rm -rf "$dir" )

#!/bin/sh

set -e

dir="$1"

if [ -z "$dir" ]; then

{

echo 'This script is for destroying old /var/lib/docker directories more safely than'

echo ' "rm -rf", which can cause data loss or other serious issues.'

echo

echo "usage: $0 directory"

echo " ie: $0 /var/lib/docker"

} >&2

exit 1

if [ "$(id -u)" != 0 ]; then

echo >&2 "error: $0 must be run as root"

exit 1

if [ ! -d "$dir" ]; then

echo >&2 "error: $dir is not a directory"

exit 1

dir="$(readlink -f "$dir")"

echo

echo "Nuking $dir ..."

echo ' (if this is wrong, press Ctrl+C NOW!)'

echo

( set -x; sleep 10 )

echo

dir_in_dir() {

inner="$1"

outer="$2"

[ "${inner#$outer}" != "$inner" ]

}

# let's start by unmounting any submounts in $dir

# (like -v /home:... for example - DON'T DELETE MY HOME DIRECTORY BRU!)

for mount in $(awk '{ print $5 }' /proc/self/mountinfo); do

mount="$(readlink -f "$mount" || true)"

if dir_in_dir "$mount" "$dir"; then

( set -x; umount -f "$mount" )

done

# now, let's go destroy individual btrfs subvolumes, if any exist

if command -v btrfs > /dev/null 2>&1; then

root="$(df "$dir" | awk 'NR>1 { print $NF }')"

root="${root#/}" # if root is "/", we want it to become ""

for subvol in $(btrfs subvolume list -o "$root/" 2>/dev/null | awk -F' path ' '{ print $2 }' | sort -r); do

subvolDir="$root/$subvol"

if dir_in_dir "$subvolDir" "$dir"; then

( set -x; btrfs subvolume delete "$subvolDir" )

done

# finally, DESTROY ALL THINGS

( set -x; rm -rf "$dir" )

将该脚本保存到本地后运行sh fix.sh /data/docker，清空/data/docker目录，重启docker服务 docker-compose启动harbor， harbor-log启动失败 Changing password for root. sudo: unable to change expired password: Authentication token manipulation error sudo: Account or password is expired, reset your password and try again 解决：参考：https://kb.vmware.com/s/article/79497 重新拉取镜像：docker pull goharbor/harbor-log:v1.10.3 修改配置文件，重启成功 Read more…

By sean, 5 years06/23/2020 ago

SECURITY

CentOS 7 上使用Certbot申请通配符证书

在CentOS7上安装Certbot有三种方式：使用Certbot官方提供的对应平台的RPM包安装使用Certbot官方的提供的certbot-auto安装使用pip安装Certbot，因为Certbot是Python程序本文使用虚拟环境，使用pip安装Certbot 创建虚拟环境：可参考https://meaninglive.com/2020/06/15/%E5%88%9B%E5%BB%BA%E8%99%9A%E6%8B%9F%E7%8E%AF%E5%A2%83-ansible-python3-and-virtualenvs-on-centos-and-rhel/ 创建所需环境：

mkvirtualenv certbot 
workon certbot 
pip install -U setuptools pip pip install certbot-dns-route53 
参考：https://wsgzao.github.io/post/certbot/

mkvirtualenv certbot

workon certbot

pip install -U setuptools pip pip install certbot-dns-route53

参考：https://wsgzao.github.io/post/certbot/

用如下命令申请证书注意替换成自己的域名；执行该命令时不依赖nginx：

certbot -d meaninglive.com \
          -d *.meaninglive.com \
          --manual --preferred-challenges dns-01 \
          --server https://acme-v02.api.letsencrypt.org/directory \
          certonly --agree-tos

certbot -d meaninglive.com \

-d *.meaninglive.com \

--manual --preferred-challenges dns-01 \

--server https://acme-v02.api.letsencrypt.org/directory \

certonly --agree-tos

介绍下相关参数： certonly，表示安装模式，Certbot 有安装模式和验证模式两种类型的插件。 –manual 表示手动安装插件，Certbot 有很多插件，不同的插件都可以申请证书，用户可以根据需要自行选择 -d 为那些主机申请证书，如果是通配符，输入 *.devapi.haoshiqi.net（可以替换为你自己的域名） –preferred-challenges dns，使用 DNS 方式校验域名所有权 –server，Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本，需要显示指定。输入应急邮箱，证书到期前会有邮件提示如果想跳过输入邮箱的步骤，可在申请命令后面加上：

--register-unsafely-without-email

1	--register-unsafely-without-email

之后出现如下提示：要公开记录申请该证书的IP地址，是否同意？不同意就无法继续。同意之后，出现如下提示，第一个“Press Enter to Continue”处直接回车，第二个“Press Enter to Continue”不要按回车：

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.co1dawn.com <span class="hljs-keyword">with</span> the following value:

iLS0NjcdP3RR1KphB6xbbVnKS_NS2uMW-xdDRzz85OM

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue             #此处直接回车

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.co1dawn.com <span class="hljs-keyword">with</span> the following value:

f3V7aw5GPm5yzNsJFanQQaUFMyVQcqriUe3UjIDUHn0

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue             #此处不要按回车

-------------------------------------------------------------------------------

Please deploy a DNS TXT record under the name

_acme-challenge.co1dawn.com <span class="hljs-keyword">with</span> the following value:

iLS0NjcdP3RR1KphB6xbbVnKS_NS2uMW-xdDRzz85OM

Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------

Press Enter to Continue #此处直接回车

-------------------------------------------------------------------------------

Please deploy a DNS TXT record under the name

_acme-challenge.co1dawn.com <span class="hljs-keyword">with</span> the following value:

f3V7aw5GPm5yzNsJFanQQaUFMyVQcqriUe3UjIDUHn0

Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------

Press Enter to Continue #此处不要按回车

为DNS解析增加TXT记录进入自己域名的DNS记录管理页面，增加两条TXT记录，多数情况下，仅需在域名(Name)处填入_acme-challenge，在内容(Target)处填入上一步Certbot生成的内容即可(记得填写两个，多个文本记录之间以换行符(Enter键)分隔)，不同DNS提供商处可能会略有不同，根据实际情况修改，如果是www.name.com的域名的话，就分别写两条相同主机名的记录，填写不同的记录稍等片刻，等TXT记录解析生效。查看是否生效的命令和生效后的查询结果如下： host -t Read more…

By sean, 5 years ago

SECURITY

自签名证书详解

总结下来，其实生成证书就两句话：

DOMAIN='www.example.com'

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"
openssl req -nodes -new -subj $SUBJECT -keyout $DOMAIN.key -out $DOMAIN.csr

printf "subjectAltName=DNS:localhost,IP:192.168.1.1" | \
openssl x509 -req -sha256 -days 3650 -in $DOMAIN.csr \
 -signkey $DOMAIN.key -out $DOMAIN.crt \
 -extfile /dev/stdin

DOMAIN='www.example.com'

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"

openssl req -nodes -new -subj $SUBJECT -keyout $DOMAIN.key -out $DOMAIN.csr

printf "subjectAltName=DNS:localhost,IP:192.168.1.1" | \

openssl x509 -req -sha256 -days 3650 -in $DOMAIN.csr \

-signkey $DOMAIN.key -out $DOMAIN.crt \

-extfile /dev/stdin

———————————————- 有一个shell脚本来自动生成证书：

#!/bin/sh

# create self-signed server certificate:

read -p "Enter your domain [www.example.com]: " DOMAIN

echo "Create server key..."

openssl genrsa -des3 -out $DOMAIN.key 1024

echo "Create server certificate signing request..."

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"

openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr

echo "Remove password..."

mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key

echo "Sign SSL certificate..."

openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt

echo "TODO:"
echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"
echo "Add configuration in nginx:"
echo "server {"
echo "    ..."
echo "    listen 443 ssl;"
echo "    ssl_certificate     /etc/nginx/ssl/$DOMAIN.crt;"
echo "    ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"
echo "}"

#!/bin/sh

# create self-signed server certificate:

read -p "Enter your domain [www.example.com]: " DOMAIN

echo "Create server key..."

openssl genrsa -des3 -out $DOMAIN.key 1024

echo "Create server certificate signing request..."

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"

openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr

echo "Remove password..."

mv $DOMAIN.key $DOMAIN.origin.key

openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key

echo "Sign SSL certificate..."

openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt

echo "TODO:"

echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"

echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"

echo "Add configuration in nginx:"

echo "server {"

echo " ..."

echo " listen 443 ssl;"

echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;"

echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"

echo "}"

另一个脚本：

#!/bin/sh

domain='gpaas.yyuap.com'

# 生成证书和key的对应文件名
ca_file=${domain}.ca
key_file=${domain}.key
cert_file=${domain}.crt

printf "[req]
default_bits            = 4096
default_md              = sha256
prompt                  = no
encrypt_key             = no
string_mask = utf8only

distinguished_name      = cert_distinguished_name
req_extensions          = req_x509v3_extensions

# 将下面的信息替换成你的信息
[ cert_distinguished_name ]
C  = CN
ST = GD
L  = GZ
O  = yyuap
OU = yyuap
CN = gpaas.yyuap.com

[req_x509v3_extensions]
basicConstraints = critical,CA:true
subjectKeyIdentifier    = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical,digitalSignature,keyCertSign,cRLSign #,keyEncipherment
extendedKeyUsage  = critical,serverAuth #, clientAuth
subjectAltName=@alt_names

# 将下面的信息替换成你的信息, 如果无需绑定域名或IP, 可以将其多余删除
[alt_names]
DNS.1 = *.yyuap.com
IP.1 = 172.20.47.38
IP.2 = 127.0.0.1
" >$ca_file


openssl ecparam -out $key_file -name prime256v1 -genkey
openssl req -new -sha256 -x509 -days 7300 -config $ca_file -extensions req_x509v3_extensions -key $key_file -out $cert_file
openssl x509 -in $cert_file -serial -noout
openssl x509 -noout -text -in "$domain-cert.pem"
echo -e "\e[1m\e[34m基于openssl verify校验证书可用性:\e[0m"
# 返回ok字样代表自签名证书是有效的.
openssl verify -verbose -CAfile $cert_file $cert_file

echo -e "\e[1m\e[34m基于openssl s_server校验证书可用性:\e[0m"
openssl s_server -cert $cert_file -key $key_file -CAfile $cert_file -Verify 3 -accept 4430 -www &
openssl_pid=$!
# 测试证书有效性, 127.0.0.1可以改成alt_names中你想测试的域名或IP, 前提是被测试的域名需要被正确解析到本机.
# 返回Verify return code: 0 (ok)代表自签名证书是有效的.
echo 'GET /HTTP/1.1' | openssl s_client -connect 127.0.0.1:4430 -cert $cert_file -key $key_file -CAfile $cert_file
kill ${openssl_pid}

#!/bin/sh

domain='gpaas.yyuap.com'

# 生成证书和key的对应文件名

ca_file=${domain}.ca

key_file=${domain}.key

cert_file=${domain}.crt

printf "[req]

default_bits = 4096

default_md = sha256

prompt = no

encrypt_key = no

string_mask = utf8only

distinguished_name = cert_distinguished_name

req_extensions = req_x509v3_extensions

# 将下面的信息替换成你的信息

[ cert_distinguished_name ]

C = CN

ST = GD

L = GZ

O = yyuap

OU = yyuap

CN = gpaas.yyuap.com

[req_x509v3_extensions]

basicConstraints = critical,CA:true

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

keyUsage = critical,digitalSignature,keyCertSign,cRLSign #,keyEncipherment

extendedKeyUsage = critical,serverAuth #, clientAuth

subjectAltName=@alt_names

# 将下面的信息替换成你的信息, 如果无需绑定域名或IP, 可以将其多余删除

[alt_names]

DNS.1 = *.yyuap.com

IP.1 = 172.20.47.38

IP.2 = 127.0.0.1

" >$ca_file

openssl ecparam -out $key_file -name prime256v1 -genkey

openssl req -new -sha256 -x509 -days 7300 -config $ca_file -extensions req_x509v3_extensions -key $key_file -out $cert_file

openssl x509 -in $cert_file -serial -noout

openssl x509 -noout -text -in "$domain-cert.pem"

echo -e "\e[1m\e[34m基于openssl verify校验证书可用性:\e[0m"

# 返回ok字样代表自签名证书是有效的.

openssl verify -verbose -CAfile $cert_file $cert_file

echo -e "\e[1m\e[34m基于openssl s_server校验证书可用性:\e[0m"

openssl s_server -cert $cert_file -key $key_file -CAfile $cert_file -Verify 3 -accept 4430 -www &

openssl_pid=$!

# 测试证书有效性, 127.0.0.1可以改成alt_names中你想测试的域名或IP, 前提是被测试的域名需要被正确解析到本机.

# 返回Verify return code: 0 (ok)代表自签名证书是有效的.

echo 'GET /HTTP/1.1' | openssl s_client -connect 127.0.0.1:4430 -cert $cert_file -key $key_file -CAfile $cert_file

kill ${openssl_pid}

参考：https://www.fullstackmemo.com/2018/05/10/openssl-gen-https-self-signed-cer/ nginx配置：

server {
    listen 80;
    server_name xxx.com gpaas.xxx.com;
    #return 301 https://$server_name$request_uri;
    #rewrite ^/(.*) https://$server_name$request_uri? permanent; # 80端口全部重定向到 https
    if ($scheme = http){
        return 301 https://$host$request_uri;
    }
}

    #启用 https, 使用 http/2 协议, nginx 1.9.11 启用 http/2 会有bug, 已在 1.9.12 版本中修复.
    listen 443 ssl http2;

    charset utf-8;
    server_name xxx.com gpaas.xxx.com;

    #告诉浏览器当前页面禁止被frame
    add_header X-Frame-Options DENY;
    #告诉浏览器不要猜测mime类型
    add_header X-Content-Type-Options nosniff;
    
    #证书路径
    ssl_certificate      cert/meaninglive.com/full_chain.pem;
    #私钥路径
    ssl_certificate_key  cert/meaninglive.com/private.key;

    #安全链接可选的加密协议
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #可选的加密算法,顺序很重要,越靠前的优先级越高.
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    #在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法.
    ssl_prefer_server_ciphers on;
    #储存SSL会话的缓存类型和大小
    ssl_session_cache shared:SSL:10m;
    #缓存有效期
    ssl_session_timeout 60m;

server {

listen 80;

server_name xxx.com gpaas.xxx.com;

#return 301 https://$server_name$request_uri;

#rewrite ^/(.*) https://$server_name$request_uri? permanent; # 80端口全部重定向到 https

if ($scheme = http){

return 301 https://$host$request_uri;

}

#启用 https, 使用 http/2 协议, nginx 1.9.11 启用 http/2 会有bug, 已在 1.9.12 版本中修复.

listen 443 ssl http2;

charset utf-8;

server_name xxx.com gpaas.xxx.com;

#告诉浏览器当前页面禁止被frame

add_header X-Frame-Options DENY;

#告诉浏览器不要猜测mime类型

add_header X-Content-Type-Options nosniff;

#证书路径

ssl_certificate cert/meaninglive.com/full_chain.pem;

#私钥路径

ssl_certificate_key cert/meaninglive.com/private.key;

#安全链接可选的加密协议

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#可选的加密算法,顺序很重要,越靠前的优先级越高.

ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

#在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法.

ssl_prefer_server_ciphers on;

#储存SSL会话的缓存类型和大小

ssl_session_cache shared:SSL:10m;

#缓存有效期

ssl_session_timeout 60m;

—————证书知识补充——————————- 自签名证书 + Nginx 实现 HTTP 升级 HTTPS 很多内网平台在开发时候并没有考虑 HTTPS，想要从 HTTP 升级到 HTTPS 一般有两种方法：一种是更新所有相关前后端代码；另一种是基本不改变代码，用 Nginx 把 HTTPS 反向代理到 HTTP 接口。第一种方法工作量有点大，本文介绍下第二种方法，当然首先要做的是生成自签名证书。准备工作内网环境受影响的是软件安装升级和证书申请，所以需要制作本地 yum 和自签名证书，自签名证书稍后讲，制作本地 yum 库可参考链接内容， HTTPS 和 CA 基础知识查看这里。制作本地 yum 库，为了自动处理软件之间的依赖关系，一般都会用 yum 等软件包管理器来安装更新软件，默认 yum 是从互联网获取各种软件包的，内网环境就需要制作本地 yum Read more…

By sean, 5 years06/19/2020 ago

SECURITY

内网一键生成 LetsEncrypt HTTPS证书

HTTPS当前越来越重要，所以经常会有公司去花钱买，我们也一样，有时候确实需要https，但是收费的用不起，所以打起了免费的主义。 LetsEncrypt是不错的选择，但是我们如果在内网该如何克服呢，没错，使用ngrok。一键生成。 ngrok是在内网用户可以获得公网访问的一个非常棒的软件。找一台有公网地址的机器我们找到了假设是公网A 找一个域名，用于传输流量我们找到了，假设是ops.ac.cn，注意，ac.cn是域名哦，虽然是二级域名，但是ac.cn是中科院相关的域名机构。而且我们要设置泛域名 A记录到公网A 搭建ngrok 如下脚本一气呵成，胆儿大的可以直接试试。最终的目录是在/usr/local/ngrok下面

# 安装基本依赖
yum -y install zlib-devel openssl-devel perl hg cpio expat-devel gettext-devel curl curl-devel perl-ExtUtils-MakeMaker hg wget gcc gcc-c++
 asciidoc
yum remove -y git
wget https://www.kernel.org/pub/software/scm/git/git-2.6.0.tar.gz

tar zxvf git-2.6.0.tar.gz

cd git-2.6.0
make configure
./configure --prefix=/usr/local/git --with-iconv=/usr/local/libiconv
make all doc
make install install-doc install-html
echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc
source /etc/bashrc

ln -s /usr/local/git/bin/* /usr/bin/


# 安装go环境
yum install -y mercurial bzr subversion

wget https://storage.googleapis.com/golang/go1.4.1.linux-amd64.tar.gz

tar -C /usr/local -xzf go1.4.1.linux-amd64.tar.gz

mkdir $HOME/go

echo 'export GOROOT=/usr/local/go' >> ~/.bashrc 

echo 'export GOPATH=$HOME/go' >> ~/.bashrc 

echo 'export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> ~/.bashrc 

source $HOME/.bashrc 

ln -s /usr/local/go/bin/* /usr/bin/

# 编译ngrok
cd /usr/local/
git clone https://github.com/inconshreveable/ngrok.git
export GOPATH=/usr/local/ngrok/
export NGROK_DOMAIN="ops.ac.cn"
cd ngrok

# 为域名生成证书
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -subj "/CN=$NGROK_DOMAIN" -days 5000 -out rootCA.pem
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=$NGROK_DOMAIN" -out server.csr
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 5000


cp rootCA.pem assets/client/tls/ngrokroot.crt

cp server.crt assets/server/tls/snakeoil.crt

cp server.key assets/server/tls/snakeoil.key

sed '5 ilog "github.com/keepeye/log4go"' -i /usr/local/ngrok/src/ngrok/log/logger.go

# 编译服务端
cd /usr/local/go/src 
GOOS=linux GOARCH=amd64 ./make.bash
cd /usr/local/ngrok/
GOOS=linux GOARCH=amd64 make release-server
GOOS=linux GOARCH=amd64 make release-client

# 编译客户端
cd /usr/local/go/src
GOOS=darwin GOARCH=amd64 ./make.bash
cd /usr/local/ngrok/
GOOS=darwin GOARCH=amd64 make release-client

cd /usr/local/go/src
GOOS=windows GOARCH=amd64 ./make.bash
cd /usr/local/ngrok/
GOOS=windows GOARCH=amd64 make release-client

# 安装基本依赖

yum -y install zlib-devel openssl-devel perl hg cpio expat-devel gettext-devel curl curl-devel perl-ExtUtils-MakeMaker hg wget gcc gcc-c++

asciidoc

yum remove -y git

wget https://www.kernel.org/pub/software/scm/git/git-2.6.0.tar.gz

tar zxvf git-2.6.0.tar.gz

cd git-2.6.0

make configure

./configure --prefix=/usr/local/git --with-iconv=/usr/local/libiconv

make all doc

make install install-doc install-html

echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc

source /etc/bashrc

ln -s /usr/local/git/bin/* /usr/bin/

# 安装go环境

yum install -y mercurial bzr subversion

wget https://storage.googleapis.com/golang/go1.4.1.linux-amd64.tar.gz

tar -C /usr/local -xzf go1.4.1.linux-amd64.tar.gz

mkdir $HOME/go

echo 'export GOROOT=/usr/local/go' >> ~/.bashrc

echo 'export GOPATH=$HOME/go' >> ~/.bashrc

echo 'export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> ~/.bashrc

source $HOME/.bashrc

ln -s /usr/local/go/bin/* /usr/bin/

# 编译ngrok

cd /usr/local/

git clone https://github.com/inconshreveable/ngrok.git

export GOPATH=/usr/local/ngrok/

export NGROK_DOMAIN="ops.ac.cn"

cd ngrok

# 为域名生成证书

openssl genrsa -out rootCA.key 2048

openssl req -x509 -new -nodes -key rootCA.key -subj "/CN=$NGROK_DOMAIN" -days 5000 -out rootCA.pem

openssl genrsa -out server.key 2048

openssl req -new -key server.key -subj "/CN=$NGROK_DOMAIN" -out server.csr

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 5000

cp rootCA.pem assets/client/tls/ngrokroot.crt

cp server.crt assets/server/tls/snakeoil.crt

cp server.key assets/server/tls/snakeoil.key

sed '5 ilog "github.com/keepeye/log4go"' -i /usr/local/ngrok/src/ngrok/log/logger.go

# 编译服务端

cd /usr/local/go/src

GOOS=linux GOARCH=amd64 ./make.bash

cd /usr/local/ngrok/

GOOS=linux GOARCH=amd64 make release-server

GOOS=linux GOARCH=amd64 make release-client

# 编译客户端

cd /usr/local/go/src

GOOS=darwin GOARCH=amd64 ./make.bash

cd /usr/local/ngrok/

GOOS=darwin GOARCH=amd64 make release-client

cd /usr/local/go/src

GOOS=windows GOARCH=amd64 ./make.bash

cd /usr/local/ngrok/

GOOS=windows GOARCH=amd64 make release-client

ngrok服务启动

#!/bin/bash

cd /usr/local/ngrok/
./bin/ngrokd -tlsKey="assets/server/tls/snakeoil.key" -tlsCrt="assets/server/tls/snakeoil.crt" -domain="ops.ac.cn"

#!/bin/bash

cd /usr/local/ngrok/

./bin/ngrokd -tlsKey="assets/server/tls/snakeoil.key" -tlsCrt="assets/server/tls/snakeoil.crt" -domain="ops.ac.cn"

客户端连接

# 配置文件准备
server_addr: "ops.ac.cn:4443"
trust_host_root_certs: false

# 配置文件准备

server_addr: "ops.ac.cn:4443"

trust_host_root_certs: false

ngrok出现”bad certificate”的原因： 1. 看准了， server_address居然是直接使用的主域名， 2. 编译出来的ngrok程序一定是使用和server相同的证书产生的。如果server编译出来的在本地运行的时候出现“segment fault“，那么可以尝试着将/usr/local/ngrok放到本地，然后运行编译客户端的几行代码重新编译即可。 3. 客户端启动的配置文件中，trust_host_root_certs选项，除非你的证书是第三方的，否则就乖乖的使用false吧 ssl脚本执行目录：/root/ssl/ www目录: /root/www/challenges ， python -m SimpleHTTPServer 80 sendemail放置地方：/root/ssl/sendemail ＨＴＴＰ服务器准备如果胆儿大，直接执行如下的内容即可

#!/bin/bash
# filepath: /root/ssl/a.sh

# 清场
ls | grep -v a.sh | grep -v sendemail | grep -v tar.gz | xargs -i rm -f {}

which openssl || (echo "没有找到openssl，开始安装"; yum install -y openssl)

# 创建一个目录
mkdir /root/ssl && echo "创建临时目录成功!" || (echo "创建临时目录失败";exit)

# 创建一个RSA私钥
openssl genrsa 4096 > account.key && echo "创建RSA私钥成功！" || (echo "创建RSA私钥失败!";exit)

# 创建另一个RSA私钥
openssl genrsa 4096 > domain.key && echo "创建另外一个私钥成功！" || (echo "创建另外一个RSA私钥失败！";exit)

#创建ECC私钥
openssl ecparam -genkey -name secp256r1 | openssl ec -out domain.key && echo "创建ECC私钥成功！" || (echo "创建ECC私钥失败！";exit)
openssl ecparam -genkey -name secp384r1 | openssl ec -out domain.key && echo "创建ECC私钥成功！" || (echo "创建ECC私钥失败！";exit)

#生成ＣＳＲ文件，有两种方式，我用的是第二种，但是第一种可以一次多申请几个，可以稍后测试
# In how many days should certificates expire?
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SD"
export KEY_CITY="JN"
export KEY_ORG="IIOT"
export KEY_EMAIL="zzlyzq@gmail.com"
export KEY_OU="CloudPlatform"

#openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr
openssl req -new -sha256 -key domain.key -out domain.csr

# 配置验证服务，为啥要这么说呢，因为letsencrypt给的也是DV，也就是域名验证，我们运行软件申请的时候，本身python脚本会在本地写一个随机数到一个随机文件，它们官方会从远端经过公网DNS解析并去获取这个文件，如果一致，就说明这个站点是我们的，也就可以申请证书了。
[ -d "~/www/challenges" ] || mkdir -p ~/www/challenges/
# 另外，还需要两个步骤，最后会说明为啥要这两个步骤。
mkdir /root/www/challenges/.well-known/ -p
ln -s /root/www/challenges/ /root/www/challenges/.well-known/acme-challenge

# 接下来我们就要下载python脚本，并去申请证书了
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

#　在执行下面之前，我们可以打开网站，最简单的就是使用python
#nohup python -m SimpleHTTPServer 80&
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/challenges/ > ./signed.crt

# 如果一切正常，我们会看到signed.crt这个就是我们的证书了。

# 另外，我们还需要letsencrypt的中间证书，我也不知道啥意思，反正是需要一个官网的东西
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cat intermediate.pem root.pem > full_chained.pem

# 打包发送
tar czvf crt.tar.gz chained.pem domain.key
./sendemail -f 123@vip.126.com -t 123@iiot.ac.cn -s smtp.vip.126.com -u "证书快递" -xu 123 -xp 123 -m "证书For域名：XX生成成功" -a crt.tar.gz -o message-charset=utf-8

#!/bin/bash

# filepath: /root/ssl/a.sh

# 清场

ls | grep -v a.sh | grep -v sendemail | grep -v tar.gz | xargs -i rm -f {}

which openssl || (echo "没有找到openssl，开始安装"; yum install -y openssl)

# 创建一个目录

mkdir /root/ssl && echo "创建临时目录成功!" || (echo "创建临时目录失败";exit)

# 创建一个RSA私钥

openssl genrsa 4096 > account.key && echo "创建RSA私钥成功！" || (echo "创建RSA私钥失败!";exit)

# 创建另一个RSA私钥

openssl genrsa 4096 > domain.key && echo "创建另外一个私钥成功！" || (echo "创建另外一个RSA私钥失败！";exit)

#创建ECC私钥

openssl ecparam -genkey -name secp256r1 | openssl ec -out domain.key && echo "创建ECC私钥成功！" || (echo "创建ECC私钥失败！";exit)

openssl ecparam -genkey -name secp384r1 | openssl ec -out domain.key && echo "创建ECC私钥成功！" || (echo "创建ECC私钥失败！";exit)

#生成ＣＳＲ文件，有两种方式，我用的是第二种，但是第一种可以一次多申请几个，可以稍后测试

# In how many days should certificates expire?

export KEY_EXPIRE=3650

export KEY_COUNTRY="CN"

export KEY_PROVINCE="SD"

export KEY_CITY="JN"

export KEY_ORG="IIOT"

export KEY_EMAIL="zzlyzq@gmail.com"

export KEY_OU="CloudPlatform"

#openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr

openssl req -new -sha256 -key domain.key -out domain.csr

# 配置验证服务，为啥要这么说呢，因为letsencrypt给的也是DV，也就是域名验证，我们运行软件申请的时候，本身python脚本会在本地写一个随机数到一个随机文件，它们官方会从远端经过公网DNS解析并去获取这个文件，如果一致，就说明这个站点是我们的，也就可以申请证书了。

[ -d "~/www/challenges" ] || mkdir -p ~/www/challenges/

# 另外，还需要两个步骤，最后会说明为啥要这两个步骤。

mkdir /root/www/challenges/.well-known/ -p

ln -s /root/www/challenges/ /root/www/challenges/.well-known/acme-challenge

# 接下来我们就要下载python脚本，并去申请证书了

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

#　在执行下面之前，我们可以打开网站，最简单的就是使用python

#nohup python -m SimpleHTTPServer 80&

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/challenges/ > ./signed.crt

# 如果一切正常，我们会看到signed.crt这个就是我们的证书了。

# 另外，我们还需要letsencrypt的中间证书，我也不知道啥意思，反正是需要一个官网的东西

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem

cat signed.crt intermediate.pem > chained.pem

wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem

cat intermediate.pem root.pem > full_chained.pem

# 打包发送

tar czvf crt.tar.gz chained.pem domain.key

./sendemail -f 123@vip.126.com -t 123@iiot.ac.cn -s smtp.vip.126.com -u "证书快递" -xu 123 -xp 123 -m "证书For域名：XX生成成功" -a crt.tar.gz -o message-charset=utf-8

生成的时候会要求输入一些东西，比如国家，省会，城市，公司名称，common name最重要，这个就是域名哦。生成完成后，会自动打包发送邮件。转自： https://blog.csdn.net/vbaspdelphi/article/details/53185943 可参考：https://learnku.com/articles/19999

By sean, 5 years06/19/2020 ago

未分类

How To Setup DNS Slave Auto Configuration Using Virtualmin/Webmin

实现步骤由于bind主从集群安装完成后，用webmin管理的话，在新创建主区域后，无法自动同步到从节点，现在找到解决办法了用Virtualmin去做主dns，去管理slave dns 在Post-Installation Wizard界面配置主从节点信息在server index里将从节点加入，用户名密码可以用webmin的主帐号 admin 在bind dns管理里在cluster slave servers里加入dns slave cluster改变的文件还是蛮多的：改变文件： /etc/webmin/virtual-server/config /etc/webmin/bind8/config /etc/webmin/servers/1592326172.serv /etc/named.rfc1912.zones /etc/named.conf 所以最好调cgi接口去做改动完了以后，就可以主从自动同步了其中修改完的virtual-server/config文件是这样的：

avail_mail=1
quotas=1
defnodbname=0
bccs=0
mail_system=0
clamscan_cmd=clamscan
sent_folder=Sent
bw_ftplog_rotated=1
avail_change-user=1
rs_endpoint=https://identity.api.rackspacecloud.com/v1.0
edit_quota=1
nopostfix_extra_user=0
show_mailuser=1
webmin=1
avail_webminlog=0
maillog_period=30
vpopmail_group=vchkpw
defmquota=51200
homes_dir=homes
postgres=0
dependent_mail=0
php_vars=+memory_limit=32M
nolink_certs=0
maillog_hide=0
reseller_template=none
rs_snet=0
dbfnorename=0
pbzip2=0
check_apache=0
backup_feature_logrotate=1
leave_acl=0
avail_phpini=1
spam_white=0
backup_feature_webalizer=1
secmx_nodns=0
newuser_to_mailbox=1
dir=3
remote_alias=1
virtual_skel=/etc/skel
groupsame=0
max_backups=3
mysql_chgrp=1
other_doms=0
show_sysinfo=2
auto_letsencrypt=0
defmongrelslimit=4
show_validation=0
gacl_root=${HOME}
edit_ftp=1
avail_mailboxes=1
delete_logs=0
show_uquotas=0
defforceunder=0
alias_types=1,2,5,6,7,8,9,10,11,12,13
spam_lock=0
postfix_ssl=1
spam_trap_black=0
avail_passwd=1
from_reseller=0
preload_mode=0
aliascopy=1
gzip_mysql=1
avail_filemin=1
show_nf=master,reseller,domain
vpopmail_user=vpopmail
vpopmail_owner=0
gacl_groups=${GROUP}
proxy_pass=0
other_users=0
show_lastlogin=0
display_max=
backup_feature_mysql=1
avail_file=1
vpopmail_maildir=mail
avail_bind8=1
collect_restart=0
default_procmail=0
tlsa_records=0
local_template=none
can_letsencrypt=0
dovecot_ssl=1
avail_webalizer=1
bw_backup=1
check_ports=1
defuquota=1048576
bind_sub=yes
mysql_mkdb=1
delete_indom=0
show_tabs=0
spamclear=none
newdom_aliases=postmaster=${EMAILTO}	webmaster=${EMAILTO}	abuse=${EMAILTO}	hostmaster=${EMAILTO}
clam_delivery=/dev/null
ftp_shell=/bin/false
avail_dns=1
usermin_switch=1
status=0
alias_mode=1
drafts_folder=Drafts
user_template=none
avail_mysql=1
shell=/dev/null
auto_redirect=0
show_ugroup=0
jailkit_root=/home/chroot
stats_noedit=1
domains_sort=sub
subdomain_template=none
unix=3
hard_quotas=1
ssl=0
logrotate=1
lookup_domain_serial=0
upload_tries=3
backup_feature_virtualmin=1
defujail=0
webalizer_nocron=0
update_template=default
generics=0
collect_noall=0
mysql=1
mysql_db=${PREFIX}
all_namevirtual=0
name_max=20
avail_postgres=1
hashpass=0
avail_custom=0
backup_onebyone=1
backup_feature_dir=1
show_features=0
disable_mail=0
web_admin=1
avail_updown=0
php_suexec=0
allow_upper=0
defquota=1048576
show_mailsize=0
home_backup=virtualmin-backup
avail_at=1
warnbw_template=default
key_size=2048
webmin_ssl=1
ldap=0
hashtypes=*
mysql_nouser=0
bw_maillog=auto
avail_cron=1
force_email=0
passwd_mode=0
bw_notify=24
usermin_ssl=1
apache_star=0
web_webmail=1
append_style=0
show_quotas=0
initsub_template=1
avail_shell=0
avail_proc=2
template_auto=1
name_mode=0
unix_shell=/bin/bash /bin/sh
edit_homes=0
backup_rotated=0
compression=0
web=0
bw_owner=1
logrotate_shared=yes
avail_telnet=1
iface=eth0
avail_web=1
collect_notemp=0
disable=unix,mail,web,dns,mysql,postgres,ftp
backup_feature_web=1
ip6enabled=0
ruby_suexec=-1
backuplog_days=7
output_command=0
dns_check=1
show_pass=1
stats_pass=1
mysql_nopass=0
apache_config=ServerName ${DOM}	ServerAlias www.${DOM}	ServerAlias mail.${DOM}	DocumentRoot ${HOME}/public_html	ErrorLog /var/log/virtualmin/${DOM}_error_log	CustomLog /var/log/virtualmin/${DOM}_access_log combined	ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/	DirectoryIndex index.html index.htm index.php index.php4 index.php5	<Directory ${HOME}/public_html>	Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 	allow from all	AllowOverride All	</Directory>	<Directory ${HOME}/cgi-bin>	allow from all	AllowOverride All	</Directory>
avail_htaccess-htpasswd=1
quota_commands=0
show_preview=2
dns=1
limitnoalias=0
bw_period=30
init_template=0
dns_prins=1
longname=0
proftpd_config=ServerName ${DOM}	<Anonymous ${HOME}/ftp>	User ftp	Group ftp	UserAlias anonymous ftp	<Limit WRITE>	DenyAll	</Limit>	RequireValidShell off	ExtendedLog ${HOME}/logs/ftp.log	</Anonymous>
mem_low=256
backup_feature_unix=1
capabilities=none
gacl_umode=1
jail_age=24
hide_alias=0
edit_afiles=1
trash_folder=Trash
plan_auto=1
backup_feature_dns=1
ldap_mail=0
post_check=1
domain_template=none
ldap_mailstore=$HOME/Maildir/
collect_interval=5
mx_validate=1
spam_client=spamassassin
nodeniedssh=1
cert_type=sha2
gacl_ugroups=${GROUP}
aws_cmd=aws
batch_create=1
vpopmail_dir=/home/vpopmail
index_cols=dom,user,owner,users,aliases
newupdate_to_mailbox=1
append=1
backup_feature_mail=1
backup_feature_ssl=1
webmin_theme=*
avail_spam=1
ldap_unix=1
ftp=0
spam=0
max_manual=0
ham_trap_white=0
reseller_unix=0
vpopmail_auto=/usr/local/bin/autorespond
ipfollow=0
mail=0
bw_template=default
backup_fmt=2
virus=0
pigz=0
statussslcert=1
avail_syslog=1
backup_feature_postgres=1
bw_nomailout=0
webalizer=0
max_all=1
delete_virts=0
dns_ip=*
virt6=1
virt=1
first_version=6.09
old_defip=172.20.47.59
old_defip6=fe80::487:3eff:fe00:aed
backup_feature_all=1
allow_subdoms=0
scriptlatest_enabled=1
allow_symlinks=0
allow_modphp=0
mysql_user_size=80
mysql_size=huge
stats_hdir=
domalias=
php_noedit=0
bind_dmarcruf=
disabled_web=
dnssec_alg=
othergroups=
logrotate_config=
statusemail=
html_dir=
defipfollow=
deftmpl_nousers=
php_ini_5.4=
dnssec=
php_ini_5.8=
web_sslport=443
php_ini_7.4=
mysql_conns=none
php_ini_7.9=
statustimeout=
tmpl_outlook_autoconfig=none
gacl_users=
php_ini_5.2=
namedconf=
bind_spfhosts=
ip_ranges6=
newuser_aliases=
phpver=
dns_view=
php_fpm=
php_ini_5.7=
web_urlport=
php_ini_5.9=
web_user=
web_urlsslport=
newdom_cc=
defsafeunder=
logrotate_files=
defaliasdomslimit=*
web_sslprotos=
web_admindom=
php_ini_7.1=
html_perms=750
statustmpl=
php_ini_7.3=
statusonly=0
defdomslimit=
phpchildren=
defmailboxlimit=
defcapabilities=none
bind_spfall=
tmpl_autoconfig=none
php_ini_7.8=
dns_ns=ns2.yyuap.com
apache_ssl_config=
default_exclude=
defresources=none
defaliaslimit=
domains_group=
dbgroup=
virtual_skel_subs=0
bccto=none
postgres_encoding=none
mysql_hosts=
mysql_wild=
namedconf_no_also_notify=
bind_dmarc=
php_ini_5=
def_webalizer=
web_ssi_suffix=
webmin_group=
bind_config=
spamtrap=none
php_ini_7.2=
defbwlimit=
bind_master=ns1.yyuap.com
mysql_charset=
php_ini_5.3=
extra_prefix=
php_ini_7.7=
defdbslimit=
web_ssi=2
bind_dmarcpct=100
namedconf_no_allow_transfer=
ftp_dir=
defushell=none
mysql_uconns=none
php_ini_7.6=
php_ini_5.6=
mailgroup=
web_writelogs=
web_webmaildom=
domalias_type=0
stats_dir=
web_port=80
ip_ranges=
bind_replace=
disabled_url=
defnorename=
featurelimits=none
mysql_collate=
bind_dmarcp=none
php_ini_7.0=
bind_dmarcextra=
php_ini_7.5=
mysql_suffix=
ftpgroup=
bind_spfincludes=
newdom_bcc=
virtual_skel_nosubs=
bind_indom=
defrealdomslimit=*
newdom_alias_bounce=0
bind_dmarcrua=
last_check=1592358795
php_ini_5.5=
bind_spf=
newdom_subject=虚拟服务器已创建
dns_ttl=
dns_records=
bind_mx=
dnssec_single=
defugroup=none
wizard_run=1
plugins_inactive=
plugins=
group_quotas=
mail_quotas=
home_quotas=

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

avail_mail=1

quotas=1

defnodbname=0

bccs=0

mail_system=0

clamscan_cmd=clamscan

sent_folder=Sent

bw_ftplog_rotated=1

avail_change-user=1

rs_endpoint=https://identity.api.rackspacecloud.com/v1.0

edit_quota=1

nopostfix_extra_user=0

show_mailuser=1

webmin=1

avail_webminlog=0

maillog_period=30

vpopmail_group=vchkpw

defmquota=51200

homes_dir=homes

postgres=0

dependent_mail=0

php_vars=+memory_limit=32M

nolink_certs=0

maillog_hide=0

reseller_template=none

rs_snet=0

dbfnorename=0

pbzip2=0

check_apache=0

backup_feature_logrotate=1

leave_acl=0

avail_phpini=1

spam_white=0

backup_feature_webalizer=1

secmx_nodns=0

newuser_to_mailbox=1

dir=3

remote_alias=1

virtual_skel=/etc/skel

groupsame=0

max_backups=3

mysql_chgrp=1

other_doms=0

show_sysinfo=2

auto_letsencrypt=0

defmongrelslimit=4

show_validation=0

gacl_root=${HOME}

edit_ftp=1

avail_mailboxes=1

delete_logs=0

show_uquotas=0

defforceunder=0

alias_types=1,2,5,6,7,8,9,10,11,12,13

spam_lock=0

postfix_ssl=1

spam_trap_black=0

avail_passwd=1

from_reseller=0

preload_mode=0

aliascopy=1

gzip_mysql=1

avail_filemin=1

show_nf=master,reseller,domain

vpopmail_user=vpopmail

vpopmail_owner=0

gacl_groups=${GROUP}

proxy_pass=0

other_users=0

show_lastlogin=0

display_max=

backup_feature_mysql=1

avail_file=1

vpopmail_maildir=mail

avail_bind8=1

collect_restart=0

default_procmail=0

tlsa_records=0

local_template=none

can_letsencrypt=0

dovecot_ssl=1

avail_webalizer=1

bw_backup=1

check_ports=1

defuquota=1048576

bind_sub=yes

mysql_mkdb=1

delete_indom=0

show_tabs=0

spamclear=none

newdom_aliases=postmaster=${EMAILTO} webmaster=${EMAILTO} abuse=${EMAILTO} hostmaster=${EMAILTO}

clam_delivery=/dev/null

ftp_shell=/bin/false

avail_dns=1

usermin_switch=1

status=0

alias_mode=1

drafts_folder=Drafts

user_template=none

avail_mysql=1

shell=/dev/null

auto_redirect=0

show_ugroup=0

jailkit_root=/home/chroot

stats_noedit=1

domains_sort=sub

subdomain_template=none

unix=3

hard_quotas=1

ssl=0

logrotate=1

lookup_domain_serial=0

upload_tries=3

backup_feature_virtualmin=1

defujail=0

webalizer_nocron=0

update_template=default

generics=0

collect_noall=0

mysql=1

mysql_db=${PREFIX}

all_namevirtual=0

name_max=20

avail_postgres=1

hashpass=0

avail_custom=0

backup_onebyone=1

backup_feature_dir=1

show_features=0

disable_mail=0

web_admin=1

avail_updown=0

php_suexec=0

allow_upper=0

defquota=1048576

show_mailsize=0

home_backup=virtualmin-backup

avail_at=1

warnbw_template=default

key_size=2048

webmin_ssl=1

ldap=0

hashtypes=*

mysql_nouser=0

bw_maillog=auto

avail_cron=1

force_email=0

passwd_mode=0

bw_notify=24

usermin_ssl=1

apache_star=0

web_webmail=1

append_style=0

show_quotas=0

initsub_template=1

avail_shell=0

avail_proc=2

template_auto=1

name_mode=0

unix_shell=/bin/bash /bin/sh

edit_homes=0

backup_rotated=0

compression=0

web=0

bw_owner=1

logrotate_shared=yes

avail_telnet=1

iface=eth0

avail_web=1

collect_notemp=0

disable=unix,mail,web,dns,mysql,postgres,ftp

backup_feature_web=1

ip6enabled=0

ruby_suexec=-1

backuplog_days=7

output_command=0

dns_check=1

show_pass=1

stats_pass=1

mysql_nopass=0

apache_config=ServerName ${DOM} ServerAlias www.${DOM} ServerAlias mail.${DOM} DocumentRoot ${HOME}/public_html ErrorLog /var/log/virtualmin/${DOM}_error_log CustomLog /var/log/virtualmin/${DOM}_access_log combined ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/ DirectoryIndex index.html index.htm index.php index.php4 index.php5 <Directory ${HOME}/public_html> Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch allow from all AllowOverride All </Directory> <Directory ${HOME}/cgi-bin> allow from all AllowOverride All </Directory>

avail_htaccess-htpasswd=1

quota_commands=0

show_preview=2

dns=1

limitnoalias=0

bw_period=30

init_template=0

dns_prins=1

longname=0

proftpd_config=ServerName ${DOM} <Anonymous ${HOME}/ftp> User ftp Group ftp UserAlias anonymous ftp <Limit WRITE> DenyAll </Limit> RequireValidShell off ExtendedLog ${HOME}/logs/ftp.log </Anonymous>

mem_low=256

backup_feature_unix=1

capabilities=none

gacl_umode=1

jail_age=24

hide_alias=0

edit_afiles=1

trash_folder=Trash

plan_auto=1

backup_feature_dns=1

ldap_mail=0

post_check=1

domain_template=none

ldap_mailstore=$HOME/Maildir/

collect_interval=5

mx_validate=1

spam_client=spamassassin

nodeniedssh=1

cert_type=sha2

gacl_ugroups=${GROUP}

aws_cmd=aws

batch_create=1

vpopmail_dir=/home/vpopmail

index_cols=dom,user,owner,users,aliases

newupdate_to_mailbox=1

append=1

backup_feature_mail=1

backup_feature_ssl=1

webmin_theme=*

avail_spam=1

ldap_unix=1

ftp=0

spam=0

max_manual=0

ham_trap_white=0

reseller_unix=0

vpopmail_auto=/usr/local/bin/autorespond

ipfollow=0

mail=0

bw_template=default

backup_fmt=2

virus=0

pigz=0

statussslcert=1

avail_syslog=1

backup_feature_postgres=1

bw_nomailout=0

webalizer=0

max_all=1

delete_virts=0

dns_ip=*

virt6=1

virt=1

first_version=6.09

old_defip=172.20.47.59

old_defip6=fe80::487:3eff:fe00:aed

backup_feature_all=1

allow_subdoms=0

scriptlatest_enabled=1

allow_symlinks=0

allow_modphp=0

mysql_user_size=80

mysql_size=huge

stats_hdir=

domalias=

php_noedit=0

bind_dmarcruf=

disabled_web=

dnssec_alg=

othergroups=

logrotate_config=

statusemail=

html_dir=

defipfollow=

deftmpl_nousers=

php_ini_5.4=

dnssec=

php_ini_5.8=

web_sslport=443

php_ini_7.4=

mysql_conns=none

php_ini_7.9=

statustimeout=

tmpl_outlook_autoconfig=none

gacl_users=

php_ini_5.2=

namedconf=

bind_spfhosts=

ip_ranges6=

newuser_aliases=

phpver=

dns_view=

php_fpm=

php_ini_5.7=

web_urlport=

php_ini_5.9=

web_user=

web_urlsslport=

newdom_cc=

defsafeunder=

logrotate_files=

defaliasdomslimit=*

web_sslprotos=

web_admindom=

php_ini_7.1=

html_perms=750

statustmpl=

php_ini_7.3=

statusonly=0

defdomslimit=

phpchildren=

defmailboxlimit=

defcapabilities=none

bind_spfall=

tmpl_autoconfig=none

php_ini_7.8=

dns_ns=ns2.yyuap.com

apache_ssl_config=

default_exclude=

defresources=none

defaliaslimit=

domains_group=

dbgroup=

virtual_skel_subs=0

bccto=none

postgres_encoding=none

mysql_hosts=

mysql_wild=

namedconf_no_also_notify=

bind_dmarc=

php_ini_5=

def_webalizer=

web_ssi_suffix=

webmin_group=

bind_config=

spamtrap=none

php_ini_7.2=

defbwlimit=

bind_master=ns1.yyuap.com

mysql_charset=

php_ini_5.3=

extra_prefix=

php_ini_7.7=

defdbslimit=

web_ssi=2

bind_dmarcpct=100

namedconf_no_allow_transfer=

ftp_dir=

defushell=none

mysql_uconns=none

php_ini_7.6=

php_ini_5.6=

mailgroup=

web_writelogs=

web_webmaildom=

domalias_type=0

stats_dir=

web_port=80

ip_ranges=

bind_replace=

disabled_url=

defnorename=

featurelimits=none

mysql_collate=

bind_dmarcp=none

php_ini_7.0=

bind_dmarcextra=

php_ini_7.5=

mysql_suffix=

ftpgroup=

bind_spfincludes=

newdom_bcc=

virtual_skel_nosubs=

bind_indom=

defrealdomslimit=*

newdom_alias_bounce=0

bind_dmarcrua=

last_check=1592358795

php_ini_5.5=

bind_spf=

newdom_subject=虚拟服务器已创建

dns_ttl=

dns_records=

bind_mx=

dnssec_single=

defugroup=none

wizard_run=1

plugins_inactive=

plugins=

group_quotas=

mail_quotas=

home_quotas=

ansible-playbook实现 ansible-playbook是这样写的： bind.yml: 其中配置virtual server时，一开始本来想调用uri，但是发现步骤太多麻烦而不生效，后来就直接用模板来做了

---

- name: "create server id"
  shell: perl -e 'print (time()+int(rand(20)))'
  register: server_id
  with_items: 
    - "{{ groups['bind-dns'] }}"
  when: inventory_hostname in groups['bind-dns']

- set_fact:
    server_id: "{{ server_id['results'][0]['stdout']}}"
  when: inventory_hostname in groups['bind-dns']

- name: define paramiters for dns servers
  set_fact:
    server_id: "{{ server_id }}"
    prins: "ns1.{{ ns_domain }}"
    secns: "{{ secns|default([]) + ['ns' + (ansible_loop.index+1)|string + '.' + ns_domain] }}"
    old_defip: "{{ inventory_hostname }}"
  with_items: 
    - "{{ groups['bind-dns'] }}"
  loop_control:
    extended: yes
  when: inventory_hostname in groups['bind-dns']

- name: "add hosts into /etc/hosts for bind servers"
  lineinfile:
    dest: /etc/hosts
    regexp: '.*{{ item }}.*$'
    line: "{{ hostvars[item].inventory_hostname }} {{ hostvars[item].ansible_fqdn }} ns{{ ansible_loop.index }}.{{ ns_domain }}"
    state: present
  with_items: 
    - "{{ groups['bind-dns'] }}"
  loop_control:
    extended: yes
  when: inventory_hostname in groups['bind-dns']

- name: "login webmin to create a cookie"
  uri:
    url: http://127.0.0.1:20000/session_login.cgi
    method: POST
    body_format: form-urlencoded
    status_code: [301,302]
    body:
      user: admin
      pass: admin123
      enter: Sign in
    return_content: yes
    headers:
      Cookie: "testing=1"
  register: login
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"


- name: config virtual-server
  template:
    src: virtual-server-config.j2
    dest: /etc/webmin/virtual-server/config
    mode: '0711'
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"

- name: check and reload Virtualmin
  uri:
    url: http://127.0.0.1:20000/virtual-server/check.cgi?
    validate_certs: no
    method: GET
    #return_content: yes
    headers:
      Cookie: "{{ login.set_cookie }}"
    status_code: [200]
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"

# - name: "config virtual-server step by step"
#   shell:
#     cmd: |
#       url='http://127.0.0.1:20000/virtual-server/wizard.cgi'
#       curl -H "Cookie: {{ login.set_cookie }}" $url?step=1&preload=0&parse=Next
#       curl -H "Cookie: {{ login.set_cookie }}" $url?step=2&mysql=0&postgres=0&parse=Next
#       curl -H "Cookie: {{ login.set_cookie }}" $url?step=3&prins={{ prins }}.&secns={{ secns }}.&prins_skip=1&parse=Next
#       curl -H "Cookie: {{ login.set_cookie }}" $url?step=4&hashpass=0&parse=Next
#       curl -H "Cookie: {{ login.set_cookie }}" $url?step=5&parse=Next
#   run_once: true
#   delegate_to: "{{ groups['bind-dns'][0] }}"
#   register: curl

# - name: config wizard
#   uri:
#     url: http://127.0.0.1:20000/virtual-server/wizard.cgi
#     validate_certs: no
#     method: POST
#     #return_content: yes
#     headers:
#       Cookie: "{{ login.set_cookie }}"
#     status_code: [200,301,302]
#     body_format: form-urlencoded
#     body:
#       mysql: 0
#       postgres: 0
#       preload: 0
#       lookup: 0
#       prins: "{{ prins }}"
#       prins_skip: 1
#       secns: "{{ secns }}"
#       hashpass: 0
#   run_once: true
#   delegate_to: "{{ groups['bind-dns'][0] }}"

# - name: modify virtual server plugin
#   uri:
#     url: http://127.0.0.1:20000/virtual-server/save_newfeatures.cgi
#     validate_certs: no
#     method: POST
#     #return_content: yes
#     headers:
#       Cookie: "{{ login.set_cookie }}"
#     status_code: [200,301,302]
#     body_format: form-urlencoded
#     body:
#       fmods: dns
#       factive: dns
#       save: '%E4%BF%9D%E5%AD%98'
#   run_once: true
#   delegate_to: "{{ groups['bind-dns'][0] }}"


# create server index
- name: "add servers to webmin cluster"
  shell:
    cmd: |
      cat > /etc/webmin/servers/{{ hostvars[item].server_id }}.serv << EOF
      pass=admin123
      ssl=0
      checkssl=
      port=20000
      host={{ item }}
      group=
      desc=
      user=admin
      id={{ hostvars[item].server_id }}
      type=centos
      fast=1
      EOF
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"
  with_items: 
    - "{{ groups['bind-dns'][1:] }}"

- name: add dns slave servers to dns master server
  uri:
    url: http://127.0.0.1:20000/bind8/slave_add.cgi
    validate_certs: no
    method: POST
    #return_content: yes
    headers:
      Cookie: "{{ login.set_cookie }}"
    status_code: [200,301,302]
    body_format: form-urlencoded
    body:
      server: '{{ hostvars[item].server_id }}'
      view_def: 1
      view: ''
      sec: 1
      sync: 1
      name_def: 0
      name: "{{ secns[ansible_loop.index0] }}"
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"
  with_items: 
    - "{{ groups['bind-dns'][1:] }}"
  loop_control:
    extended: yes

- name: "Setting the Master IP Address"
  lineinfile:
    dest: /etc/webmin/bind8/config
    regexp: '^this_ip.*$'
    line: "this_ip={{ groups['bind-dns'][0] }}"
    state: present
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"

- name: Basic Setup of DNS server
  uri:
    url: http://127.0.0.1:20000/bind8/save_zonedef.cgi
    validate_certs: no
    method: POST
    #return_content: yes
    headers:
      Cookie: "{{ login.set_cookie }}"
    status_code: [200,301,302]
    body_format: form-urlencoded
    body:
      refresh: 10800
      refunit: ''
      retry: 3600
      retunit: ''
      expiry: 604800
      expunit:
      minimum: 38400
      minunit:
      name_0:
      type_0: A
      value_0_def: 1
      name_1:
      type_1: A
      value_1_def: 1
      include_def: 1
      email: 'iuap_admin@yonyou.com'
      prins_def: 0
      prins: '{{ prins }}'
      dnssec: 0
      alg: RSASHA1
      size_def: 1
      size: 
      single: 0
      allow-transfer_def: 0
      allow-transfer: acl1
      allow-query_def: 0
      allow-query: any
      also-notify_def: 1
      also-notify:
      master: ignore
      slave:
      response:
      notify:
  run_once: true
  delegate_to: "{{ groups['bind-dns'][0] }}"

- name: "add new user bind for manage dns"
  lineinfile:
    dest: /etc/webmin/miniserv.users
    line: "bind:$1$73641827$.K742ybaJY33hg1vQQlQL/::::::::0::::"
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

- name: "add user bind acl for manage dns"
  lineinfile:
    dest: /etc/webmin/webmin.acl
    line: "bind: bind8"
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

- name: "create bind.acl file"
  file:
    path: "/etc/webmin/bind.acl"
    state: touch
    mode: '0611'
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

- name: "add bind acl for user"
  shell:
    cmd: |
      cat > /etc/webmin/bind.acl << 'EOF'
      rpc=2
      nodot=0
      webminsearch=1
      uedit_mode=0
      gedit_mode=0
      feedback=2
      otherdirs=
      readonly=0
      fileunix=root
      uedit=
      negative=0
      root=/
      uedit2=
      gedit=
      gedit2=
      EOF
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

- name: "set language to zh_CN for user bind"
  lineinfile:
    dest: /etc/webmin/config
    line: 'lang_bind=zh_CN.UTF-8'
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

# add cron job for backup configure file
- name: define parameter for backup.pl
  set_fact:
    script_dir: "backup-config"
    script: "backup.pl"

- name: create backup script
  template:
    src: run_perl.j2
    dest: /etc/webmin/{{ script_dir }}/{{ script }}
    mode: '0755'
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

- name: "create cron jobs"
  shell:
    cmd: |
      cron_job_id=$(perl -e 'print time().$$')
      job_dir=/etc/webmin/{{ script_dir }}/backups
      backup_dir=/data/backup/bind
      mkdir -p $job_dir $backup_dir
      cat > $job_dir/${cron_job_id}.backup << EOF
      configfile=
      dest=/data/backup/bind/bind_config
      others=
      post=conf="$backup_dir/bind_config"; conf_time=\${conf}_\$(date +%F-%H-%M); [[ -f "\$conf" ]] && echo "move \$conf to \$conf_time" && mv \$conf \$conf_time
      pre=
      email=
      mins=0
      mods=bind8
      sched=1
      id=$cron_job_id
      hours=0
      days=*
      nofiles=
      emode=0
      weekdays=*
      months=*
      EOF
      grep -q "${cron_job_id}" /var/spool/cron/root || echo "0 0 * * * /etc/webmin/backup-config/backup.pl ${cron_job_id}" >> /var/spool/cron/root
  run_once: true
  delegate_to: "{{item}}"
  loop: "{{ groups['bind-dns'] }}"

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

---

- name: "create server id"

shell: perl -e 'print (time()+int(rand(20)))'

with_items:

- "{{ groups['bind-dns'] }}"

when: inventory_hostname in groups['bind-dns']

- set_fact:

server_id: "{{ server_id['results'][0]['stdout']}}"

when: inventory_hostname in groups['bind-dns']

- name: define paramiters for dns servers

set_fact:

server_id: "{{ server_id }}"

prins: "ns1.{{ ns_domain }}"

secns: "{{ secns|default([]) + ['ns' + (ansible_loop.index+1)|string + '.' + ns_domain] }}"

old_defip: "{{ inventory_hostname }}"

with_items:

- "{{ groups['bind-dns'] }}"

loop_control:

extended: yes

when: inventory_hostname in groups['bind-dns']

- name: "add hosts into /etc/hosts for bind servers"

lineinfile:

dest: /etc/hosts

regexp: '.*{{ item }}.*$'

line: "{{ hostvars[item].inventory_hostname }} {{ hostvars[item].ansible_fqdn }} ns{{ ansible_loop.index }}.{{ ns_domain }}"

state: present

with_items:

- "{{ groups['bind-dns'] }}"

loop_control:

extended: yes

when: inventory_hostname in groups['bind-dns']

- name: "login webmin to create a cookie"

uri:

url: http://127.0.0.1:20000/session_login.cgi

method: POST

body_format: form-urlencoded

status_code: [301,302]

body:

user: admin

pass: admin123

enter: Sign in

return_content: yes

headers:

Cookie: "testing=1"

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

- name: config virtual-server

template:

src: virtual-server-config.j2

dest: /etc/webmin/virtual-server/config

mode: '0711'

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

- name: check and reload Virtualmin

uri:

url: http://127.0.0.1:20000/virtual-server/check.cgi?

validate_certs: no

method: GET

#return_content: yes

headers:

Cookie: "{{ login.set_cookie }}"

status_code: [200]

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

# - name: "config virtual-server step by step"

# shell:

# cmd: |

# url='http://127.0.0.1:20000/virtual-server/wizard.cgi'

# curl -H "Cookie: {{ login.set_cookie }}" $url?step=1&preload=0&parse=Next

# curl -H "Cookie: {{ login.set_cookie }}" $url?step=2&mysql=0&postgres=0&parse=Next

# curl -H "Cookie: {{ login.set_cookie }}" $url?step=3&prins={{ prins }}.&secns={{ secns }}.&prins_skip=1&parse=Next

# curl -H "Cookie: {{ login.set_cookie }}" $url?step=4&hashpass=0&parse=Next

# curl -H "Cookie: {{ login.set_cookie }}" $url?step=5&parse=Next

# run_once: true

# delegate_to: "{{ groups['bind-dns'][0] }}"

# register: curl

# - name: config wizard

# uri:

# url: http://127.0.0.1:20000/virtual-server/wizard.cgi

# validate_certs: no

# method: POST

# #return_content: yes

# headers:

# Cookie: "{{ login.set_cookie }}"

# status_code: [200,301,302]

# body_format: form-urlencoded

# body:

# mysql: 0

# postgres: 0

# preload: 0

# lookup: 0

# prins: "{{ prins }}"

# prins_skip: 1

# secns: "{{ secns }}"

# hashpass: 0

# run_once: true

# delegate_to: "{{ groups['bind-dns'][0] }}"

# - name: modify virtual server plugin

# uri:

# url: http://127.0.0.1:20000/virtual-server/save_newfeatures.cgi

# validate_certs: no

# method: POST

# #return_content: yes

# headers:

# Cookie: "{{ login.set_cookie }}"

# status_code: [200,301,302]

# body_format: form-urlencoded

# body:

# fmods: dns

# factive: dns

# save: '%E4%BF%9D%E5%AD%98'

# run_once: true

# delegate_to: "{{ groups['bind-dns'][0] }}"

# create server index

- name: "add servers to webmin cluster"

shell:

cmd: |

cat > /etc/webmin/servers/{{ hostvars[item].server_id }}.serv << EOF

pass=admin123

ssl=0

checkssl=

port=20000

host={{ item }}

group=

desc=

user=admin

id={{ hostvars[item].server_id }}

type=centos

fast=1

EOF

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

with_items:

- "{{ groups['bind-dns'][1:] }}"

- name: add dns slave servers to dns master server

uri:

url: http://127.0.0.1:20000/bind8/slave_add.cgi

validate_certs: no

method: POST

#return_content: yes

headers:

Cookie: "{{ login.set_cookie }}"

status_code: [200,301,302]

body_format: form-urlencoded

body:

server: '{{ hostvars[item].server_id }}'

view_def: 1

view: ''

sec: 1

sync: 1

name_def: 0

name: "{{ secns[ansible_loop.index0] }}"

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

with_items:

- "{{ groups['bind-dns'][1:] }}"

loop_control:

extended: yes

- name: "Setting the Master IP Address"

lineinfile:

dest: /etc/webmin/bind8/config

regexp: '^this_ip.*$'

line: "this_ip={{ groups['bind-dns'][0] }}"

state: present

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

- name: Basic Setup of DNS server

uri:

url: http://127.0.0.1:20000/bind8/save_zonedef.cgi

validate_certs: no

method: POST

#return_content: yes

headers:

Cookie: "{{ login.set_cookie }}"

status_code: [200,301,302]

body_format: form-urlencoded

body:

refresh: 10800

refunit: ''

retry: 3600

retunit: ''

expiry: 604800

expunit:

minimum: 38400

minunit:

name_0:

type_0: A

value_0_def: 1

name_1:

type_1: A

value_1_def: 1

include_def: 1

email: 'iuap_admin@yonyou.com'

prins_def: 0

prins: '{{ prins }}'

dnssec: 0

alg: RSASHA1

size_def: 1

size:

single: 0

allow-transfer_def: 0

allow-transfer: acl1

allow-query_def: 0

allow-query: any

also-notify_def: 1

also-notify:

master: ignore

slave:

response:

notify:

run_once: true

delegate_to: "{{ groups['bind-dns'][0] }}"

- name: "add new user bind for manage dns"

lineinfile:

dest: /etc/webmin/miniserv.users

line: "bind:$1$73641827$.K742ybaJY33hg1vQQlQL/::::::::0::::"

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

- name: "add user bind acl for manage dns"

lineinfile:

dest: /etc/webmin/webmin.acl

line: "bind: bind8"

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

- name: "create bind.acl file"

file:

path: "/etc/webmin/bind.acl"

state: touch

mode: '0611'

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

- name: "add bind acl for user"

shell:

cmd: |

cat > /etc/webmin/bind.acl << 'EOF'

rpc=2

nodot=0

webminsearch=1

uedit_mode=0

gedit_mode=0

feedback=2

otherdirs=

readonly=0

fileunix=root

uedit=

negative=0

root=/

uedit2=

gedit=

gedit2=

EOF

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

- name: "set language to zh_CN for user bind"

lineinfile:

dest: /etc/webmin/config

line: 'lang_bind=zh_CN.UTF-8'

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

# add cron job for backup configure file

- name: define parameter for backup.pl

set_fact:

script_dir: "backup-config"

script: "backup.pl"

- name: create backup script

template:

src: run_perl.j2

dest: /etc/webmin/{{ script_dir }}/{{ script }}

mode: '0755'

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

- name: "create cron jobs"

shell:

cmd: |

cron_job_id=$(perl -e 'print time().$$')

job_dir=/etc/webmin/{{ script_dir }}/backups

backup_dir=/data/backup/bind

mkdir -p $job_dir $backup_dir

cat > $job_dir/${cron_job_id}.backup << EOF

configfile=

dest=/data/backup/bind/bind_config

others=

post=conf="$backup_dir/bind_config"; conf_time=\${conf}_\$(date +%F-%H-%M); [[ -f "\$conf" ]] && echo "move \$conf to \$conf_time" && mv \$conf \$conf_time

pre=

email=

mins=0

mods=bind8

sched=1

id=$cron_job_id

hours=0

days=*

nofiles=

emode=0

weekdays=*

months=*

EOF

grep -q "${cron_job_id}" /var/spool/cron/root || echo "0 0 * * * /etc/webmin/backup-config/backup.pl ${cron_job_id}" >> /var/spool/cron/root

run_once: true

delegate_to: "{{item}}"

loop: "{{ groups['bind-dns'] }}"

templates/virtual-server-config.j2模板:

avail_mail=1
quotas=1
defnodbname=0
bccs=0
mail_system=0
clamscan_cmd=clamscan
sent_folder=Sent
bw_ftplog_rotated=1
avail_change-user=1
rs_endpoint=https://identity.api.rackspacecloud.com/v1.0
edit_quota=1
nopostfix_extra_user=0
show_mailuser=1
webmin=1
avail_webminlog=0
maillog_period=30
vpopmail_group=vchkpw
defmquota=51200
homes_dir=homes
postgres=0
dependent_mail=0
php_vars=+memory_limit=32M
nolink_certs=0
maillog_hide=0
reseller_template=none
rs_snet=0
dbfnorename=0
pbzip2=0
check_apache=0
backup_feature_logrotate=1
leave_acl=0
avail_phpini=1
spam_white=0
backup_feature_webalizer=1
secmx_nodns=0
newuser_to_mailbox=1
dir=3
remote_alias=1
virtual_skel=/etc/skel
groupsame=0
max_backups=3
mysql_chgrp=1
other_doms=0
show_sysinfo=2
auto_letsencrypt=0
defmongrelslimit=4
show_validation=0
gacl_root=${HOME}
edit_ftp=1
avail_mailboxes=1
delete_logs=0
show_uquotas=0
defforceunder=0
alias_types=1,2,5,6,7,8,9,10,11,12,13
spam_lock=0
postfix_ssl=1
spam_trap_black=0
avail_passwd=1
from_reseller=0
preload_mode=0
aliascopy=1
gzip_mysql=1
avail_filemin=1
show_nf=master,reseller,domain
vpopmail_user=vpopmail
vpopmail_owner=0
gacl_groups=${GROUP}
proxy_pass=0
other_users=0
show_lastlogin=0
display_max=
backup_feature_mysql=1
avail_file=1
vpopmail_maildir=mail
avail_bind8=1
collect_restart=0
default_procmail=0
tlsa_records=0
local_template=none
can_letsencrypt=0
dovecot_ssl=1
avail_webalizer=1
bw_backup=1
check_ports=1
defuquota=1048576
bind_sub=yes
mysql_mkdb=1
delete_indom=0
show_tabs=0
spamclear=none
newdom_aliases=postmaster=${EMAILTO}	webmaster=${EMAILTO}	abuse=${EMAILTO}	hostmaster=${EMAILTO}
clam_delivery=/dev/null
ftp_shell=/bin/false
avail_dns=1
usermin_switch=1
status=0
alias_mode=1
drafts_folder=Drafts
user_template=none
avail_mysql=1
shell=/dev/null
auto_redirect=0
show_ugroup=0
jailkit_root=/home/chroot
stats_noedit=1
domains_sort=sub
subdomain_template=none
unix=3
hard_quotas=1
ssl=0
logrotate=1
lookup_domain_serial=0
upload_tries=3
backup_feature_virtualmin=1
defujail=0
webalizer_nocron=0
update_template=default
generics=0
collect_noall=0
mysql=1
mysql_db=${PREFIX}
all_namevirtual=0
name_max=20
avail_postgres=1
hashpass=0
avail_custom=0
backup_onebyone=1
backup_feature_dir=1
show_features=0
disable_mail=0
web_admin=1
avail_updown=0
php_suexec=0
allow_upper=0
defquota=1048576
show_mailsize=0
home_backup=virtualmin-backup
avail_at=1
warnbw_template=default
key_size=2048
webmin_ssl=1
ldap=0
hashtypes=*
mysql_nouser=0
bw_maillog=auto
avail_cron=1
force_email=0
passwd_mode=0
bw_notify=24
usermin_ssl=1
apache_star=0
web_webmail=1
append_style=0
show_quotas=0
initsub_template=1
avail_shell=0
avail_proc=2
template_auto=1
name_mode=0
unix_shell=/bin/bash /bin/sh
edit_homes=0
backup_rotated=0
compression=0
web=0
bw_owner=1
logrotate_shared=yes
avail_telnet=1
iface=eth0
avail_web=1
collect_notemp=0
disable=unix,mail,web,dns,mysql,postgres,ftp
backup_feature_web=1
ip6enabled=0
ruby_suexec=-1
backuplog_days=7
output_command=0
dns_check=1
show_pass=1
stats_pass=1
mysql_nopass=0
apache_config=ServerName ${DOM}	ServerAlias www.${DOM}	ServerAlias mail.${DOM}	DocumentRoot ${HOME}/public_html	ErrorLog /var/log/virtualmin/${DOM}_error_log	CustomLog /var/log/virtualmin/${DOM}_access_log combined	ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/	DirectoryIndex index.html index.htm index.php index.php4 index.php5	<Directory ${HOME}/public_html>	Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 	allow from all	AllowOverride All	</Directory>	<Directory ${HOME}/cgi-bin>	allow from all	AllowOverride All	</Directory>
avail_htaccess-htpasswd=1
quota_commands=0
show_preview=2
dns=1
limitnoalias=0
bw_period=30
init_template=0
dns_prins=1
longname=0
proftpd_config=ServerName ${DOM}	<Anonymous ${HOME}/ftp>	User ftp	Group ftp	UserAlias anonymous ftp	<Limit WRITE>	DenyAll	</Limit>	RequireValidShell off	ExtendedLog ${HOME}/logs/ftp.log	</Anonymous>
mem_low=256
backup_feature_unix=1
capabilities=none
gacl_umode=1
jail_age=24
hide_alias=0
edit_afiles=1
trash_folder=Trash
plan_auto=1
backup_feature_dns=1
ldap_mail=0
post_check=1
domain_template=none
ldap_mailstore=$HOME/Maildir/
collect_interval=5
mx_validate=1
spam_client=spamassassin
nodeniedssh=1
cert_type=sha2
gacl_ugroups=${GROUP}
aws_cmd=aws
batch_create=1
vpopmail_dir=/home/vpopmail
index_cols=dom,user,owner,users,aliases
newupdate_to_mailbox=1
append=1
backup_feature_mail=1
backup_feature_ssl=1
webmin_theme=*
avail_spam=1
ldap_unix=1
ftp=0
spam=0
max_manual=0
ham_trap_white=0
reseller_unix=0
vpopmail_auto=/usr/local/bin/autorespond
ipfollow=0
mail=0
bw_template=default
backup_fmt=2
virus=0
pigz=0
statussslcert=1
avail_syslog=1
backup_feature_postgres=1
bw_nomailout=0
webalizer=0
max_all=1
delete_virts=0
dns_ip=*
virt6=1
virt=1
first_version=6.09
old_defip={{ old_defip }}
old_defip6=
backup_feature_all=1
allow_subdoms=0
scriptlatest_enabled=1
allow_symlinks=0
allow_modphp=0
mysql_user_size=80
mysql_size=huge
stats_hdir=
domalias=
php_noedit=0
bind_dmarcruf=
disabled_web=
dnssec_alg=
othergroups=
logrotate_config=
statusemail=
html_dir=
defipfollow=
deftmpl_nousers=
php_ini_5.4=
dnssec=
php_ini_5.8=
web_sslport=443
php_ini_7.4=
mysql_conns=none
php_ini_7.9=
statustimeout=
tmpl_outlook_autoconfig=none
gacl_users=
php_ini_5.2=
namedconf=
bind_spfhosts=
ip_ranges6=
newuser_aliases=
phpver=
dns_view=
php_fpm=
php_ini_5.7=
web_urlport=
php_ini_5.9=
web_user=
web_urlsslport=
newdom_cc=
defsafeunder=
logrotate_files=
defaliasdomslimit=*
web_sslprotos=
web_admindom=
php_ini_7.1=
html_perms=750
statustmpl=
php_ini_7.3=
statusonly=0
defdomslimit=
phpchildren=
defmailboxlimit=
defcapabilities=none
bind_spfall=
tmpl_autoconfig=none
php_ini_7.8=
dns_ns={% for s in secns %}{{ s }}. 
{% endfor %}
apache_ssl_config=
default_exclude=
defresources=none
defaliaslimit=
domains_group=
dbgroup=
virtual_skel_subs=0
bccto=none
postgres_encoding=none
mysql_hosts=
mysql_wild=
namedconf_no_also_notify=
bind_dmarc=
php_ini_5=
def_webalizer=
web_ssi_suffix=
webmin_group=
bind_config=
spamtrap=none
php_ini_7.2=
defbwlimit=
bind_master={{ prins }}
mysql_charset=
php_ini_5.3=
extra_prefix=
php_ini_7.7=
defdbslimit=
web_ssi=2
bind_dmarcpct=100
namedconf_no_allow_transfer=
ftp_dir=
defushell=none
mysql_uconns=none
php_ini_7.6=
php_ini_5.6=
mailgroup=
web_writelogs=
web_webmaildom=
domalias_type=0
stats_dir=
web_port=80
ip_ranges=
bind_replace=
disabled_url=
defnorename=
featurelimits=none
mysql_collate=
bind_dmarcp=none
php_ini_7.0=
bind_dmarcextra=
php_ini_7.5=
mysql_suffix=
ftpgroup=
bind_spfincludes=
newdom_bcc=
virtual_skel_nosubs=
bind_indom=
defrealdomslimit=*
newdom_alias_bounce=0
bind_dmarcrua=
last_check=1592358795
php_ini_5.5=
bind_spf=
newdom_subject=虚拟服务器已创建
dns_ttl=
dns_records=
bind_mx=
dnssec_single=
defugroup=none
wizard_run=1
plugins_inactive=
plugins=
group_quotas=
mail_quotas=
home_quotas=

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

avail_mail=1

quotas=1

defnodbname=0

bccs=0

mail_system=0

clamscan_cmd=clamscan

sent_folder=Sent

bw_ftplog_rotated=1

avail_change-user=1

rs_endpoint=https://identity.api.rackspacecloud.com/v1.0

edit_quota=1

nopostfix_extra_user=0

show_mailuser=1

webmin=1

avail_webminlog=0

maillog_period=30

vpopmail_group=vchkpw

defmquota=51200

homes_dir=homes

postgres=0

dependent_mail=0

php_vars=+memory_limit=32M

nolink_certs=0

maillog_hide=0

reseller_template=none

rs_snet=0

dbfnorename=0

pbzip2=0

check_apache=0

backup_feature_logrotate=1

leave_acl=0

avail_phpini=1

spam_white=0

backup_feature_webalizer=1

secmx_nodns=0

newuser_to_mailbox=1

dir=3

remote_alias=1

virtual_skel=/etc/skel

groupsame=0

max_backups=3

mysql_chgrp=1

other_doms=0

show_sysinfo=2

auto_letsencrypt=0

defmongrelslimit=4

show_validation=0

gacl_root=${HOME}

edit_ftp=1

avail_mailboxes=1

delete_logs=0

show_uquotas=0

defforceunder=0

alias_types=1,2,5,6,7,8,9,10,11,12,13

spam_lock=0

postfix_ssl=1

spam_trap_black=0

avail_passwd=1

from_reseller=0

preload_mode=0

aliascopy=1

gzip_mysql=1

avail_filemin=1

show_nf=master,reseller,domain

vpopmail_user=vpopmail

vpopmail_owner=0

gacl_groups=${GROUP}

proxy_pass=0

other_users=0

show_lastlogin=0

display_max=

backup_feature_mysql=1

avail_file=1

vpopmail_maildir=mail

avail_bind8=1

collect_restart=0

default_procmail=0

tlsa_records=0

local_template=none

can_letsencrypt=0

dovecot_ssl=1

avail_webalizer=1

bw_backup=1

check_ports=1

defuquota=1048576

bind_sub=yes

mysql_mkdb=1

delete_indom=0

show_tabs=0

spamclear=none

newdom_aliases=postmaster=${EMAILTO} webmaster=${EMAILTO} abuse=${EMAILTO} hostmaster=${EMAILTO}

clam_delivery=/dev/null

ftp_shell=/bin/false

avail_dns=1

usermin_switch=1

status=0

alias_mode=1

drafts_folder=Drafts

user_template=none

avail_mysql=1

shell=/dev/null

auto_redirect=0

show_ugroup=0

jailkit_root=/home/chroot

stats_noedit=1

domains_sort=sub

subdomain_template=none

unix=3

hard_quotas=1

ssl=0

logrotate=1

lookup_domain_serial=0

upload_tries=3

backup_feature_virtualmin=1

defujail=0

webalizer_nocron=0

update_template=default

generics=0

collect_noall=0

mysql=1

mysql_db=${PREFIX}

all_namevirtual=0

name_max=20

avail_postgres=1

hashpass=0

avail_custom=0

backup_onebyone=1

backup_feature_dir=1

show_features=0

disable_mail=0

web_admin=1

avail_updown=0

php_suexec=0

allow_upper=0

defquota=1048576

show_mailsize=0

home_backup=virtualmin-backup

avail_at=1

warnbw_template=default

key_size=2048

webmin_ssl=1

ldap=0

hashtypes=*

mysql_nouser=0

bw_maillog=auto

avail_cron=1

force_email=0

passwd_mode=0

bw_notify=24

usermin_ssl=1

apache_star=0

web_webmail=1

append_style=0

show_quotas=0

initsub_template=1

avail_shell=0

avail_proc=2

template_auto=1

name_mode=0

unix_shell=/bin/bash /bin/sh

edit_homes=0

backup_rotated=0

compression=0

web=0

bw_owner=1

logrotate_shared=yes

avail_telnet=1

iface=eth0

avail_web=1

collect_notemp=0

disable=unix,mail,web,dns,mysql,postgres,ftp

backup_feature_web=1

ip6enabled=0

ruby_suexec=-1

backuplog_days=7

output_command=0

dns_check=1

show_pass=1

stats_pass=1

mysql_nopass=0

avail_htaccess-htpasswd=1

quota_commands=0

show_preview=2

dns=1

limitnoalias=0

bw_period=30

init_template=0

dns_prins=1

longname=0

proftpd_config=ServerName ${DOM} <Anonymous ${HOME}/ftp> User ftp Group ftp UserAlias anonymous ftp <Limit WRITE> DenyAll </Limit> RequireValidShell off ExtendedLog ${HOME}/logs/ftp.log </Anonymous>

mem_low=256

backup_feature_unix=1

capabilities=none

gacl_umode=1

jail_age=24

hide_alias=0

edit_afiles=1

trash_folder=Trash

plan_auto=1

backup_feature_dns=1

ldap_mail=0

post_check=1

domain_template=none

ldap_mailstore=$HOME/Maildir/

collect_interval=5

mx_validate=1

spam_client=spamassassin

nodeniedssh=1

cert_type=sha2

gacl_ugroups=${GROUP}

aws_cmd=aws

batch_create=1

vpopmail_dir=/home/vpopmail

index_cols=dom,user,owner,users,aliases

newupdate_to_mailbox=1

append=1

backup_feature_mail=1

backup_feature_ssl=1

webmin_theme=*

avail_spam=1

ldap_unix=1

ftp=0

spam=0

max_manual=0

ham_trap_white=0

reseller_unix=0

vpopmail_auto=/usr/local/bin/autorespond

ipfollow=0

mail=0

bw_template=default

backup_fmt=2

virus=0

pigz=0

statussslcert=1

avail_syslog=1

backup_feature_postgres=1

bw_nomailout=0

webalizer=0

max_all=1

delete_virts=0

dns_ip=*

virt6=1

virt=1

first_version=6.09

old_defip={{ old_defip }}

old_defip6=

backup_feature_all=1

allow_subdoms=0

scriptlatest_enabled=1

allow_symlinks=0

allow_modphp=0

mysql_user_size=80

mysql_size=huge

stats_hdir=

domalias=

php_noedit=0

bind_dmarcruf=

disabled_web=

dnssec_alg=

othergroups=

logrotate_config=

statusemail=

html_dir=

defipfollow=

deftmpl_nousers=

php_ini_5.4=

dnssec=

php_ini_5.8=

web_sslport=443

php_ini_7.4=

mysql_conns=none

php_ini_7.9=

statustimeout=

tmpl_outlook_autoconfig=none

gacl_users=

php_ini_5.2=

namedconf=

bind_spfhosts=

ip_ranges6=

newuser_aliases=

phpver=

dns_view=

php_fpm=

php_ini_5.7=

web_urlport=

php_ini_5.9=

web_user=

web_urlsslport=

newdom_cc=

defsafeunder=

logrotate_files=

defaliasdomslimit=*

web_sslprotos=

web_admindom=

php_ini_7.1=

html_perms=750

statustmpl=

php_ini_7.3=

statusonly=0

defdomslimit=

phpchildren=

defmailboxlimit=

defcapabilities=none

bind_spfall=

tmpl_autoconfig=none

php_ini_7.8=

dns_ns={% for s in secns %}{{ s }}.

{% endfor %}

apache_ssl_config=

default_exclude=

defresources=none

defaliaslimit=

domains_group=

dbgroup=

virtual_skel_subs=0

bccto=none

postgres_encoding=none

mysql_hosts=

mysql_wild=

namedconf_no_also_notify=

bind_dmarc=

php_ini_5=

def_webalizer=

web_ssi_suffix=

webmin_group=

bind_config=

spamtrap=none

php_ini_7.2=

defbwlimit=

bind_master={{ prins }}

mysql_charset=

php_ini_5.3=

extra_prefix=

php_ini_7.7=

defdbslimit=

web_ssi=2

bind_dmarcpct=100

namedconf_no_allow_transfer=

ftp_dir=

defushell=none

mysql_uconns=none

php_ini_7.6=

php_ini_5.6=

mailgroup=

web_writelogs=

web_webmaildom=

domalias_type=0

stats_dir=

web_port=80

ip_ranges=

bind_replace=

disabled_url=

defnorename=

featurelimits=none

mysql_collate=

bind_dmarcp=none

php_ini_7.0=

bind_dmarcextra=

php_ini_7.5=

mysql_suffix=

ftpgroup=

bind_spfincludes=

newdom_bcc=

virtual_skel_nosubs=

bind_indom=

defrealdomslimit=*

newdom_alias_bounce=0

bind_dmarcrua=

last_check=1592358795

php_ini_5.5=

bind_spf=

newdom_subject=虚拟服务器已创建

dns_ttl=

dns_records=

bind_mx=

dnssec_single=

defugroup=none

wizard_run=1

plugins_inactive=

plugins=

group_quotas=

mail_quotas=

home_quotas=

defaults/main.yml

---
# defaults file for webmin
webmin_version: 1.941
virtualmin_version: 6.09.gpl
webmin_dir: /etc/webmin
uninstall_webmin: false
upgrade_webmin: false
webmin_packages:
  - perl
  - perl-libwww-perl
  - perl-DBI
  - perl-DBD-MySQL
  - perl-GD
  - perl-HTML-Parser
  - perl-devel
  - openssl
  - perl-Encode-Detect
  - perl-Net-SSLeay
  - perl-Socket6
  - perl-IO-Socket-INET6

mysql_database: 
ns_domain: yyuap.com

---

# defaults file for webmin

webmin_version: 1.941

virtualmin_version: 6.09.gpl

webmin_dir: /etc/webmin

uninstall_webmin: false

upgrade_webmin: false

webmin_packages:

- perl

- perl-libwww-perl

- perl-DBI

- perl-DBD-MySQL

- perl-GD

- perl-HTML-Parser

- perl-devel

- openssl

- perl-Encode-Detect

- perl-Net-SSLeay

- perl-Socket6

- perl-IO-Socket-INET6

mysql_database:

ns_domain: yyuap.com

参考以下文章： Introduction This tutorial will Read more…

By sean, 5 years06/17/2020 ago

未分类

创建虚拟环境: Ansible, Python3, and Virtualenvs on CentOS and RHEL and MacOS

要为ansible运行创建一个最新的虚拟环境, 以下是步骤: 下载最新的python3.8.3安装包:

wget https://www.python.org/ftp/python/3.9.0/Python-3.9.0.tgz

1	wget https://www.python.org/ftp/python/3.9.0/Python-3.9.0.tgz

解压:

xz -d Python-3.9.0.tar.xz && tar xvf Python-3.9.0.tar

1	xz -d Python-3.9.0.tar.xz && tar xvf Python-3.9.0.tar

创建虚拟环境目录: mkdir /root/.python_env 编译安装python

cd Python-3.9.0/
./configure --prefix=/root/.python_env && make && make install

1 2	cd Python-3.9.0/ ./configure --prefix=/root/.python_env && make && make install

配置一下pip国内源, 以增加安装速度

cat > $HOME/.config/pip/pip.conf << EOF
[global]
index-url = http://mirrors.aliyun.com/pypi/simple/
trusted-host = mirrors.aliyun.com
#proxy=http://xxx.xxx.xxx.xxx:8080 # 替换出自己的代理地址，格式为[user:passwd@]proxy.server:port

[install]
trusted-host=mirrors.aliyun.com
EOF

cat > $HOME/.config/pip/pip.conf << EOF

[global]

index-url = http://mirrors.aliyun.com/pypi/simple/

trusted-host = mirrors.aliyun.com

#proxy=http://xxx.xxx.xxx.xxx:8080 # 替换出自己的代理地址，格式为[user:passwd@]proxy.server:port

[install]

trusted-host=mirrors.aliyun.com

EOF

安装virtualenvwrapper

cd .python_env/bin/
ln -s python3 python
ln -s pip3 pip
./pip install virtualenvwrapper

cd .python_env/bin/

ln -s python3 python

ln -s pip3 pip

./pip install virtualenvwrapper

安装过程中报错: ImportError: No module named ‘_ctypes’, 解决方法是(参考https://stackoverflow.com/questions/27022373/python3-importerror-no-module-named-ctypes-when-using-value-from-module-mul):

sudo yum -y install gcc gcc-c++ 
sudo yum -y install zlib zlib-devel
sudo yum -y install libffi-devel

sudo yum -y install gcc gcc-c++

sudo yum -y install zlib zlib-devel

sudo yum -y install libffi-devel

然后重新编译安装python3 定义环境变量

cat >> /root/.bashrc << EOF
# virtualenv
#export PIP_REQUIRE_VIRTUALENV=true #pip安装东西的时候不安装到本地环境
#export PIP_RESPECT_VIRTUALENV=true #在执行pip的时候让系统自动开启虚拟环境
# virtualenv
export WORKON_HOME=/root/.python_env/.virtualenvs
export VIRTUALENVWRAPPER_PYTHON=/root/.python_env/bin/python
export PIP_VIRTUALENV_BASE=$WORKON_HOME
export VIRTUALENV_USE_DISTRIBUTE=1
export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/.python_env/bin"
export VIRTUALENVWRAPPER_VIRTUALENV=/root/.python_env/bin/virtualenv
#export VIRTUALENVWRAPPER_VIRTUALENV=$(which virtualenv)
source $(which virtualenvwrapper.sh)
EOF

cat >> /root/.bashrc << EOF

# virtualenv

#export PIP_REQUIRE_VIRTUALENV=true #pip安装东西的时候不安装到本地环境

#export PIP_RESPECT_VIRTUALENV=true #在执行pip的时候让系统自动开启虚拟环境

# virtualenv

export WORKON_HOME=/root/.python_env/.virtualenvs

export VIRTUALENVWRAPPER_PYTHON=/root/.python_env/bin/python

export PIP_VIRTUALENV_BASE=$WORKON_HOME

export VIRTUALENV_USE_DISTRIBUTE=1

export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/.python_env/bin"

export VIRTUALENVWRAPPER_VIRTUALENV=/root/.python_env/bin/virtualenv

#export VIRTUALENVWRAPPER_VIRTUALENV=$(which virtualenv)

source $(which virtualenvwrapper.sh)

EOF

创建ansible虚拟环境：

mkvirtualenv ansible

1	mkvirtualenv ansible

The prompt change tells us we’ve successfully made, and activated, our first python 3 virtualenv. Validate it is configured as Read more…

By sean, 5 years06/15/2020 ago

未分类

ansible sysctl模块使用

修改系统内核参数,可以使用ansible sysctl模块来做批量修改:

- hosts: test
  gather_facts: false
  vars:
    pana_sys_ctl:
      net.bridge.bridge-nf-call-ip6tables: 1
      net.bridge.bridge-nf-call-iptables: 1
      net.ipv4.ip_forward: 1
      net.ipv4.conf.all.forwarding: 1
      net.ipv4.neigh.default.gc_thresh1: 4096
      net.ipv4.neigh.default.gc_thresh2: 6144
      net.ipv4.neigh.default.gc_thresh3: 8192
      net.ipv4.neigh.default.gc_interval: 60
      net.ipv4.neigh.default.gc_stale_time: 120

      # 参考 https://github.com/prometheus/node_exporter#disabled-by-default
      kernel.perf_event_paranoid: -1

      #sysctls for k8s node config
      net.ipv4.tcp_slow_start_after_idle: 0
      net.core.rmem_max: 16777216
      fs.inotify.max_user_watches: 524288
      kernel.softlockup_all_cpu_backtrace: 1

      kernel.softlockup_panic: 0

      kernel.watchdog_thresh: 30
      fs.file-max: 2097152
      fs.inotify.max_user_instances: 8192
      fs.inotify.max_queued_events: 16384
      vm.max_map_count: 262144
      fs.may_detach_mounts: 1
      net.core.netdev_max_backlog: 16384
      net.ipv4.tcp_wmem: 4096 12582912 16777216
      net.core.wmem_max: 16777216
      net.core.somaxconn: 32768
      net.ipv4.ip_forward: 1
      net.ipv4.tcp_max_syn_backlog: 8096
      net.ipv4.tcp_rmem: 4096 12582912 16777216

      net.ipv6.conf.all.disable_ipv6: 1
      net.ipv6.conf.default.disable_ipv6: 1
      net.ipv6.conf.lo.disable_ipv6: 1

      kernel.yama.ptrace_scope: 0
      vm.swappiness: 0

      # 可以控制core文件的文件名中是否添加pid作为扩展。
      kernel.core_uses_pid: 1

      # Do not accept source routing
      net.ipv4.conf.default.accept_source_route: 0
      net.ipv4.conf.all.accept_source_route: 0

      # Promote secondary addresses when the primary address is removed
      net.ipv4.conf.default.promote_secondaries: 1
      net.ipv4.conf.all.promote_secondaries: 1

      # Enable hard and soft link protection
      fs.protected_hardlinks: 1
      fs.protected_symlinks: 1

      # 源路由验证
      # see details in https://help.aliyun.com/knowledge_detail/39428.html
      net.ipv4.conf.all.rp_filter: 0
      net.ipv4.conf.default.rp_filter: 0
      net.ipv4.conf.default.arp_announce :  2
      net.ipv4.conf.lo.arp_announce: 2
      net.ipv4.conf.all.arp_announce: 2

      # see details in https://help.aliyun.com/knowledge_detail/41334.html
      net.ipv4.tcp_max_tw_buckets: 5000
      net.ipv4.tcp_syncookies: 1
      net.ipv4.tcp_fin_timeout: 30
      net.ipv4.tcp_synack_retries: 2
      kernel.sysrq: 1

  tasks:
    - sysctl:
        name: "{{ item[0] }}"
        value: "{{ item[1] }}"
        state: present
        sysctl_set: yes
        reload: yes
      with_items:
        - "{{ pana_sys_ctl|dictsort }}"

- hosts: test

gather_facts: false

vars:

pana_sys_ctl:

net.bridge.bridge-nf-call-ip6tables: 1

net.bridge.bridge-nf-call-iptables: 1

net.ipv4.ip_forward: 1

net.ipv4.conf.all.forwarding: 1

net.ipv4.neigh.default.gc_thresh1: 4096

net.ipv4.neigh.default.gc_thresh2: 6144

net.ipv4.neigh.default.gc_thresh3: 8192

net.ipv4.neigh.default.gc_interval: 60

net.ipv4.neigh.default.gc_stale_time: 120

# 参考 https://github.com/prometheus/node_exporter#disabled-by-default

kernel.perf_event_paranoid: -1

#sysctls for k8s node config

net.ipv4.tcp_slow_start_after_idle: 0

net.core.rmem_max: 16777216

fs.inotify.max_user_watches: 524288

kernel.softlockup_all_cpu_backtrace: 1

kernel.softlockup_panic: 0

kernel.watchdog_thresh: 30

fs.file-max: 2097152

fs.inotify.max_user_instances: 8192

fs.inotify.max_queued_events: 16384

vm.max_map_count: 262144

fs.may_detach_mounts: 1

net.core.netdev_max_backlog: 16384

net.ipv4.tcp_wmem: 4096 12582912 16777216

net.core.wmem_max: 16777216

net.core.somaxconn: 32768

net.ipv4.ip_forward: 1

net.ipv4.tcp_max_syn_backlog: 8096

net.ipv4.tcp_rmem: 4096 12582912 16777216

net.ipv6.conf.all.disable_ipv6: 1

net.ipv6.conf.default.disable_ipv6: 1

net.ipv6.conf.lo.disable_ipv6: 1

kernel.yama.ptrace_scope: 0

vm.swappiness: 0

# 可以控制core文件的文件名中是否添加pid作为扩展。

kernel.core_uses_pid: 1

# Do not accept source routing

net.ipv4.conf.default.accept_source_route: 0

net.ipv4.conf.all.accept_source_route: 0

# Promote secondary addresses when the primary address is removed

net.ipv4.conf.default.promote_secondaries: 1

net.ipv4.conf.all.promote_secondaries: 1

# Enable hard and soft link protection

fs.protected_hardlinks: 1

fs.protected_symlinks: 1

# 源路由验证

# see details in https://help.aliyun.com/knowledge_detail/39428.html

net.ipv4.conf.all.rp_filter: 0

net.ipv4.conf.default.rp_filter: 0

net.ipv4.conf.default.arp_announce : 2

net.ipv4.conf.lo.arp_announce: 2

net.ipv4.conf.all.arp_announce: 2

# see details in https://help.aliyun.com/knowledge_detail/41334.html

net.ipv4.tcp_max_tw_buckets: 5000

net.ipv4.tcp_syncookies: 1

net.ipv4.tcp_fin_timeout: 30

net.ipv4.tcp_synack_retries: 2

kernel.sysrq: 1

tasks:

- sysctl:

name: "{{ item[0] }}"

value: "{{ item[1] }}"

state: present

sysctl_set: yes

reload: yes

with_items:

- "{{ pana_sys_ctl|dictsort }}"

测试发现, 运行很慢, 基本一条一秒, 要是这样, 还不如直接拷贝过去算了, 此模块适合修改条目比较少的选项

By sean, 5 years06/14/2020 ago

未分类

批量插入/替换整段代码到指定位置

需求是用ansible来修改nginx配置文件，添加代理gotty打开终端的逻辑，如下：

---

- name: modify nginx configure
  gather_facts: F
  hosts: nginx
  pre_tasks:
    - name: define variables
      set_fact:
        nginx_conf: /data/middleware/nginx/conf.d/upstream-tomcat.conf

  tasks:
    - name: "modify nginx configure - part 1"
      shell:
        cmd: |
          time=$(date +%F)
          sed -i "1i\# modified at $time" upstream-tomcat.conf
          Bstr='\# modified at'
          Estr='upstream dashboard'
          sed -n "
            /$Bstr/ {
              n
              :start
              /$Estr/! {
                N
                b start
              }
              p
            }
          " map.txt | sed "
            /$Bstr/ {
              n
              :start
              /$Estr/! {
                N
                b start
              }
              r /dev/stdin
              d
            }
          " {{ nginx_conf }} > {{ nginx_conf }}.new
          mv -f {{ nginx_conf }}.new {{ nginx_conf }}

    - name: "modify nginx configure - part 2"
      shell:
        cmd: |
          Bstr='# --- END FOR KUBOARD ---'
          Estr='location.*.\/redis\/'
          sed -n "
            /$Bstr/ {
              n
              :start
              /$Estr/! {
                N
                b start
              }
              p
            }
          " location.txt | sed "
            /$Bstr/ {
              n
              :start
              /$Estr/! {
                N
                b start
              }
              r /dev/stdin
              d
            }
          " {{ nginx_conf }} > {{ nginx_conf }}.new
          mv -f {{ nginx_conf }}.new {{ nginx_conf }}

---

- name: modify nginx configure

gather_facts: F

hosts: nginx

pre_tasks:

- name: define variables

set_fact:

nginx_conf: /data/middleware/nginx/conf.d/upstream-tomcat.conf

tasks:

- name: "modify nginx configure - part 1"

shell:

cmd: |

time=$(date +%F)

sed -i "1i\# modified at $time" upstream-tomcat.conf

Bstr='\# modified at'

Estr='upstream dashboard'

sed -n "

/$Bstr/ {

:start

/$Estr/! {

b start

}

" map.txt | sed "

/$Bstr/ {

:start

/$Estr/! {

b start

}

r /dev/stdin

}

" {{ nginx_conf }} > {{ nginx_conf }}.new

mv -f {{ nginx_conf }}.new {{ nginx_conf }}

- name: "modify nginx configure - part 2"

shell:

cmd: |

Bstr='# --- END FOR KUBOARD ---'

Estr='location.*.\/redis\/'

sed -n "

/$Bstr/ {

:start

/$Estr/! {

b start

}

" location.txt | sed "

/$Bstr/ {

:start

/$Estr/! {

b start

}

r /dev/stdin

}

" {{ nginx_conf }} > {{ nginx_conf }}.new

mv -f {{ nginx_conf }}.new {{ nginx_conf }}

map.txt:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}
map $http_cookie $c_cookie {
    default "";
     ~*host=([^\;]*) $1;
}

map $args $r_host {
     default $c_cookie;
     ~*host=(.*) $1;
}

upstream dashboard {

map $http_upgrade $connection_upgrade {

default upgrade;

'' close;

}

map $http_cookie $c_cookie {

default "";

~*host=([^\;]*) $1;

}

map $args $r_host {

default $c_cookie;

~*host=(.*) $1;

}

upstream dashboard {

location.txt:

    # --- END FOR KUBOARD ---

    # --- START FOR gotty ---
   location ~ /webterminal/ {
        if ($uri = /webterminal/ ){
            set $hostip "$r_host";
            set_decode_base64 $hostip;
            proxy_pass http://$hostip:50000;
            rewrite /webterminal/(.*)$ /$1 break;
            add_header Set-Cookie "host=$hostip";
        }
        if ($uri ~ .js){
            proxy_pass http://$c_cookie:50000;
            rewrite /webterminal/(.*)$ /$1 break;
        }
        if ($uri ~ webterminal/ws){
            rewrite /(.*)$ /webterminalws last;
        }
    }

    location ~ /webterminalws {
        proxy_pass http://$c_cookie:50000/ws;

        proxy_http_version  1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    # --- END FOR gotty ---

    location ^~ /redis/ {

# --- END FOR KUBOARD ---

# --- START FOR gotty ---

location ~ /webterminal/ {

if ($uri = /webterminal/ ){

set $hostip "$r_host";

set_decode_base64 $hostip;

proxy_pass http://$hostip:50000;

rewrite /webterminal/(.*)$ /$1 break;

add_header Set-Cookie "host=$hostip";

}

if ($uri ~ .js){

proxy_pass http://$c_cookie:50000;

rewrite /webterminal/(.*)$ /$1 break;

}

if ($uri ~ webterminal/ws){

rewrite /(.*)$ /webterminalws last;

}

location ~ /webterminalws {

proxy_pass http://$c_cookie:50000/ws;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $connection_upgrade;

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

}

# --- END FOR gotty ---

location ^~ /redis/ {

注意：需要插入/替换的新内容：map.txt和location.txt 开始和结束的匹配字段也要写上去（Bstr和Estr）

By sean, 5 years06/11/2020 ago

KUBERNETES

ansible安装k3s

一， ansible安装k3s集群下载ansible安装k3s脚本： ansible-galaxy install xanmanning.k3s ansible role目录结构： ├── hosts.ini ├── roles │ ├── k3s │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ ├── docker │ │ │ │ ├── bin │ │ │ │ │ ├── containerd │ │ │ │ Read more…

By sean, 5 years06/04/2020 ago

未分类

ansible – Appending To Lists And Dictionaries

今天在整理ansible安装k3s时，遇到了个问题，想法是在安装过程中对node能打多个label, 如：定义hosts.ini

[k3s_nodes]
172.20.47.254 k3s_control_node=true nodeRole=ingress,node ansible_ssh_user=root ansible_ssh_port=22
172.20.47.201 nodeRole=node  ansible_ssh_user=root ansible_ssh_port=22

[k3s_nodes]

172.20.47.254 k3s_control_node=true nodeRole=ingress,node ansible_ssh_user=root ansible_ssh_port=22

172.20.47.201 nodeRole=node ansible_ssh_user=root ansible_ssh_port=22

其中k3s.service.j2模块中的定义如下：

{% if k3s_node_labels is defined and k3s_node_labels is iterable %}
    {% for label in k3s_node_labels %}
        {% for key, value in label.items() %}
            --node-label {{ key }}={{ value }}
        {% endfor %}
    {% endfor %}
{% endif %}

{% if k3s_node_labels is defined and k3s_node_labels is iterable %}

{% for label in k3s_node_labels %}

{% for key, value in label.items() %}

--node-label {{ key }}={{ value }}

{% endfor %}

{% endif %}

而生成的k3s.service应是这个结果：

ExecStart=/usr/local/bin/k3s server \
          --disable-network-policy --flannel-backend none --cluster-cidr 10.42.0.0/16 --service-cidr 10.43.0.0/16 \
          --no-deploy traefik --docker --node-name 172.20.47.254 \
          --node-label node.kubernetes.io/ingress= \
          --node-label node.kubernetes.io/node=

ExecStart=/usr/local/bin/k3s server \

--disable-network-policy --flannel-backend none --cluster-cidr 10.42.0.0/16 --service-cidr 10.43.0.0/16 \

--no-deploy traefik --docker --node-name 172.20.47.254 \

--node-label node.kubernetes.io/ingress= \

--node-label node.kubernetes.io/node=

可以看到，应该给node打两个label, 经反复尝试，终于生成了，下面是我的k3s.yml:

- hosts: k3s_nodes
  vars:
    #k3s_control_node_address: 172.20.47.250
    # k3s_datastore_endpoint: "mysql://root:mypass@tcp(172.20.47.38:3306)/k3sdb"
    k3s_cluster_cidr: 10.42.0.0/16
    k3s_service_cidr: 10.43.0.0/16
    k3s_use_docker: true
    k3s_no_flannel: true
    k3s_no_traefik: true
    # k3s_control_node_address: "k8s.apiserver.io"
    ingress_http_port: 8000
    ingress_https_port: 4443

    # if set k3s_disable_network_policy=false,  
    # it will show error: User "system:k3s-controller" cannot get resource "nodes" in API group "" at the cluster scope
    # refer to: https://github.com/rancher/k3s/issues/1792
    k3s_disable_network_policy: true
    k3s_server_manifests_templates:
      - "manifests/calico.yaml.j2"
      - "manifests/coredns.yaml.j2"
      - "manifests/local-storage.yaml.j2"
      - "manifests/metrics-server-deployment.yaml.j2"
      - "manifests/nginx-ingress.yaml.j2"
      - "manifests/kuboard.yaml.j2"
      - "manifests/cert-manager-no-webhook.yaml.j2"

  pre_tasks:
    - name: Set k3s_node_name
      set_fact:
        k3s_node_name: "{{ inventory_hostname }}"

    - name: Set node labels
      set_fact:
        # k3s_node_labels: "{{ k3s_node_labels|default([]) | combine({'node.kubernetes.io/'+item: ''}) }}"
        k3s_node_labels: "{{ k3s_node_labels|default([]) + [{'node.kubernetes.io/'+item: ''}] }}"
      with_items: 
        - "{{ nodeRole.split(',') }}"
      when: nodeRole is defined

  # tasks:
  #   - debug: msg="{{ k3s_node_labels  }}"
  roles:
    - { role: k3s, k3s_release_version: v1.18.2+k3s1 }

- hosts: k3s_nodes

vars:

#k3s_control_node_address: 172.20.47.250

# k3s_datastore_endpoint: "mysql://root:mypass@tcp(172.20.47.38:3306)/k3sdb"

k3s_cluster_cidr: 10.42.0.0/16

k3s_service_cidr: 10.43.0.0/16

k3s_use_docker: true

k3s_no_flannel: true

k3s_no_traefik: true

# k3s_control_node_address: "k8s.apiserver.io"

ingress_http_port: 8000

ingress_https_port: 4443

# if set k3s_disable_network_policy=false,

# it will show error: User "system:k3s-controller" cannot get resource "nodes" in API group "" at the cluster scope

# refer to: https://github.com/rancher/k3s/issues/1792

k3s_disable_network_policy: true

k3s_server_manifests_templates:

- "manifests/calico.yaml.j2"

- "manifests/coredns.yaml.j2"

- "manifests/local-storage.yaml.j2"

- "manifests/metrics-server-deployment.yaml.j2"

- "manifests/nginx-ingress.yaml.j2"

- "manifests/kuboard.yaml.j2"

- "manifests/cert-manager-no-webhook.yaml.j2"

pre_tasks:

- name: Set k3s_node_name

set_fact:

k3s_node_name: "{{ inventory_hostname }}"

- name: Set node labels

set_fact:

# k3s_node_labels: "{{ k3s_node_labels|default([]) | combine({'node.kubernetes.io/'+item: ''}) }}"

k3s_node_labels: "{{ k3s_node_labels|default([]) + [{'node.kubernetes.io/'+item: ''}] }}"

with_items:

- "{{ nodeRole.split(',') }}"

when: nodeRole is defined

# tasks:

# - debug: msg="{{ k3s_node_labels }}"

roles:

- { role: k3s, k3s_release_version: v1.18.2+k3s1 }

定义了： k3s_node_labels: “{{ k3s_node_labels|default([]) + [{‘node.kubernetes.io/’+item: ”}] }}” 意思是定义一个列表k3s_node_labels，将with_items中的变量append到列表中，结果是这样：

[
        {
            "node.kubernetes.io/ingress": ""
        }, 
        {
            "node.kubernetes.io/node": ""
        }
]

[

{

"node.kubernetes.io/ingress": ""

{

"node.kubernetes.io/node": ""

}

]

除了用+号，也可以用union([item]) 而如果这样定义的话： k3s_node_labels: “{{ k3s_node_labels|default([]) | combine({‘node.kubernetes.io/’+item: ”}) }}” 或 k3s_node_labels: “{{ k3s_node_labels|default({}) | combine({‘node.kubernetes.io/’+item: ”}) }}” 都将会这种结果：

{
        "node.kubernetes.io/ingress": "", 
        "node.kubernetes.io/node": ""
}

{

"node.kubernetes.io/ingress": "",

"node.kubernetes.io/node": ""

}