sean – 一江春水向东流

KUBERNETES

KubeVirt uses custom virtual machines

背景翻了一下笔记，2023年底接触了kubevirt 这个k8s下的虚拟机项目，当时也只是简单的部署以及使用现有的几个镜像，2024年也断断续续使用过几次，直到今年2025年8月再次接触，制作了自己的镜像才算基本搞通了这个kubevirt 的使用，时间跨度有点大，这里记录一下。准备工作 kvm 虚拟化物理机ubuntu 系统 apt install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils -y 虚拟机 ubuntu 系统 apt install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager -y 虚拟机 rockylinux 系统 yum install -y qemu-kvm libvirt virt-install bridge-utils 嵌套虚拟化如果测试机器本身是虚拟机，则还有一个工作，开启嵌套虚拟化。修改 grub 设置安装了前面的几个kvm 相关包之后，还需要修改 grub 设置。 vi /etc/default/grub 加上最后1部分 GRUB_CMDLINE_LINUX=”crashkernel=auto Read more…

By sean, 4 days ago

PROGRAMMING

yq用法

yq介绍在开始使用yq之前，我们首先需要安装它。当你在谷歌上搜索yq时，你会发现两个项目/存储库。首先，在https://github.com/kislyuk/yq是jq（JSON处理器）的包装器。如果你已经熟悉jq，你可能想抓住这个，使用你已经知道的语法。不过，在本文中，我们将使用https://github.com/mikefarah/yq 这个版本，这个版本没有100%匹配jq语法，但它的优点是它没有依赖性（不依赖于jq），有关差异的更多上下文，请参阅下面的GitHub问题。 https://github.com/mikefarah/yq/issues/193 mikefarah版本的yq的具体用法参见文档：https://mikefarah.gitbook.io/yq/ 工作实践业务需求由于公司产品需要部署在无网环境，所以需要制作适配各个组件的离线安装源，包括rpm/apt之类的系统相关软件包，以及各个二进制/压缩包之类的离线文件，原来是做法是统一将所有的离线源统一整合到一个yml文件当中去，现在的做法是将一个名为packages.yaml的文件放到各个组件的工程里，通过git下载然后进行聚合生成最后的全量列表。聚合之前，通过生成一个config.yaml来进行选择哪些组件的聚合，下面是全量的配置：

---
downMode: git
project:
  - name: offline-packages
    url: https://git.xxx.com/PaaS/offline-packages.git
    branch: autoupdate-git
    item:
  - name: yks
    url: https://git.xxx.com/PaaS/paas-installer.git
    branch: develop
    item:
  - name: middleware
    url: https://git.xxx.com/PaaS/middleware.git
    branch: develop
    item:
      - redis
      - nginx
      - elasticsearch
      - kafka
      - kibana
      - license-server
      - minio

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

---

downMode: git

project:

- name: offline-packages

url: https://git.xxx.com/PaaS/offline-packages.git

branch: autoupdate-git

item:

- name: yks

url: https://git.xxx.com/PaaS/paas-installer.git

branch: develop

item:

- name: middleware

url: https://git.xxx.com/PaaS/middleware.git

branch: develop

item:

- redis

- nginx

- elasticsearch

- kafka

- kibana

- license-server

- minio

通过流水线传参，生成以分号为分隔符的参数，来自定义生成config_custom.yaml:

    # 生成聚合用的config.yml
    if [ "$middleware_names" != "all" ]; then
      middleware_pattern="middleware|$(echo ${middleware_names} |sed 's/;/\|/g')"
      # 只保留选择的大类，如'yks, middleware, offline-packages'
      yq 'del(.project[] | select(.name | test("'$middleware_pattern'")|not))' config.yml > ./config_custom_tmp.yml
      # 再次筛选, 只保留middleware大类下的小类,如'redis, nginx'
      yq 'del(.project[].item.[] | select(. |test("'$middleware_pattern'")|not) )' config_custom_tmp.yml > ./config_custom.yml
      config_file=config_custom.yml
      rm -rf config_custom_tmp.yml
    else
      config_file=config.yml
    fi

1

2

3

4

5

6

7

8

9

10

11

12

# 生成聚合用的config.yml

if [ "$middleware_names" != "all" ]; then

middleware_pattern="middleware|$(echo ${middleware_names} |sed 's/;/\|/g')"

# 只保留选择的大类，如'yks, middleware, offline-packages'

yq 'del(.project[] | select(.name | test("'$middleware_pattern'")|not))' config.yml > ./config_custom_tmp.yml

# 再次筛选, 只保留middleware大类下的小类,如'redis, nginx'

yq 'del(.project[].item.[] | select(. |test("'$middleware_pattern'")|not) )' config_custom_tmp.yml > ./config_custom.yml

config_file=config_custom.yml

rm -rf config_custom_tmp.yml

else

config_file=config.yml

fi

解析：由于yq的contains不支持多个匹配，所以在这里用到了test来测试是否包含以‘|’分隔的多个字符 del的用法：用del删除之前，先要能查询打印出需要删除的部分，才能进一步使用del删除，如：如果选择了只生成middleware和paas-installer, 则先查出不包含middleware和paas-installer的部分：

[root@jenkins1-iuap-hb2-ali offline-packages]# cat config.yml |yq '.project[]| select(.name | test("middleware|yks")|not)'
name: offline-packages
url: https://git.xxx.com/paas/offline-packages.git
branch: develop
item:

1

2

3

4

5

name: offline-packages

url: https://git.xxx.com/paas/offline-packages.git

branch: develop

item:

然后调用del删除：

[root@jenkins1 offline-packages]# cat config.yml |yq 'del(.project[]| select(.name | test("middleware|yks")|not))'
---
downMode: git
project:
  - name: paas
    url: https://git.xxx.com/PaaS/paas-installer.git
    branch: develop
    item:
  - name: middleware
    url: https://git.xxx.com/PaaS/middleware.git
    branch: develop
    item:
      - redis
      - nginx
      - elasticsearch
      - kafka
      - kibana
      - license-server
      - minio

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

---

downMode: git

project:

- name: paas

url: https://git.xxx.com/PaaS/paas-installer.git

branch: develop

item:

- name: middleware

url: https://git.xxx.com/PaaS/middleware.git

branch: develop

item:

- redis

- nginx

- elasticsearch

- kafka

- kibana

- license-server

- minio

如果只选择了paas，nginx和redis,则需再次筛选, 只保留middleware大类下的小类,如’redis, nginx’:

[root@jenkins1 offline-packages]# yq 'del(.project[].item.[] | select(. |test("redis|nginx")|not) )' config_custom_tmp.yml
---
downMode: git
project:
  - name: yks
    url: https://git.xxx.com/PaaS/paas-installer.git
    branch: develop
    item: []
  - name: middleware
    url: https://git.xxx.com/PaaS/middleware.git
    branch: develop
    item:
      - redis
      - nginx

1

2

3

4

5

6

7

8

9

10

11

12

13

14

[root@jenkins1 offline-packages]# yq 'del(.project[].item.[] | select(. |test("redis|nginx")|not) )' config_custom_tmp.yml

---

downMode: git

project:

- name: yks

url: https://git.xxx.com/PaaS/paas-installer.git

branch: develop

item: []

- name: middleware

url: https://git.xxx.com/PaaS/middleware.git

branch: develop

item:

- redis

- nginx

osInfo=$(awk ‘BEGIN{split(“‘${os_names}’”, arr, “,”);for(key in arr) if(arr[key] ~ “ubuntu”) print arr[key]”:apt”;else print arr[key]”:yum”}’) 最后生成的格式如下：

os: kylin
version: v10-sp3
package:
- name:
  - telnet
  - curl
  - wget
 
- name:
  - docker-ce-20.10.17
  - docker-ce-cli-20.10.17
  - containerd.io-1.6.28
  arch: amd64
  repo:
  - https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
  - http://mirrors.aliyun.com/repo/Centos-7.repo
  replace:
  - item: repo
    from: $releasever
    to: "7"
- name:
  - docker-ce-20.10.17
  - docker-ce-cli-20.10.17
  - containerd.io-1.6.28
  arch: arm64
  repo:
  - https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
  - http://mirrors.aliyun.com/repo/Centos-altarch-7.repo
  replace:
  - item: repo
    from: $releasever
    to: "7"
file:
- name: cni-plugins
  arch: amd64
  src: http://bucket.oss-cn-beijing.aliyuncs.com/download/nexus2/raw-apis/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
  dest: raw-apis/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

os: kylin

version: v10-sp3

package:

- name:

- telnet

- curl

- wget

- name:

- docker-ce-20.10.17

- docker-ce-cli-20.10.17

- containerd.io-1.6.28

arch: amd64

repo:

- https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

- http://mirrors.aliyun.com/repo/Centos-7.repo

replace:

- item: repo

from: $releasever

to: "7"

- name:

- docker-ce-20.10.17

- docker-ce-cli-20.10.17

- containerd.io-1.6.28

arch: arm64

repo:

- https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

- http://mirrors.aliyun.com/repo/Centos-altarch-7.repo

replace:

- item: repo

from: $releasever

to: "7"

file:

- name: cni-plugins

arch: amd64

src: http://bucket.oss-cn-beijing.aliyuncs.com/download/nexus2/raw-apis/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz

dest: raw-apis/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz

需要再次通过yq来进行提取过滤: 提取不需要配repo的以及带arch=amd64/x86_64或不带key为arch的列表： Read more…

By sean, 2 years03/07/2024 ago

OS

Linux自动探测网卡名称

Linux上需要自动探测通信的网卡名称，有时会有多网卡方案一通过ip命令提取默认路由，来找到默认通信的网卡获取IP命令：

if [[ "$useIPV6" == "true" ]]; then
        ip_r=$(ip -6 r g 2000::1)
        LOCAL_IP=$(grep -oP "src \S+ "  < <(echo $ip6_r) | sed 's/src //' | awk '{gsub(/^\s+|\s+$/, "");print}')
        if [ "X$LOCAL_IP" == "X" ]; then
            LOCAL_IP=$(ip add | grep -w inet6 | grep -v ::1 | awk NR==1'{print $2}' | cut -d "/" -f 1)
        fi
else        
        ip_r=$(ip r g 1.0.0.0)
        LOCAL_IP=$(grep -oP "src \S+ "  < <(echo $ip_r) | sed 's/src //' | awk '{gsub(/^\s+|\s+$/, "");print}')
        if [ "X$LOCAL_IP" == "X" ] || (! echo $LOCAL_IP | grep -Eq '^([0-9]{1,3}\.){3}[0-9]{1,3}$'); then
            LOCAL_IP=$(ip add | grep -w inet | grep -v 127.0.0.1 | awk NR==1'{print $2}' | cut -d "/" -f 1)
        fi
    fi
fi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

if [[ "$useIPV6" == "true" ]]; then

ip_r=$(ip -6 r g 2000::1)

LOCAL_IP=$(grep -oP "src \S+ " < <(echo $ip6_r) | sed 's/src //' | awk '{gsub(/^\s+|\s+$/, "");print}')

if [ "X$LOCAL_IP" == "X" ]; then

LOCAL_IP=$(ip add | grep -w inet6 | grep -v ::1 | awk NR==1'{print $2}' | cut -d "/" -f 1)

fi

else

ip_r=$(ip r g 1.0.0.0)

LOCAL_IP=$(grep -oP "src \S+ " < <(echo $ip_r) | sed 's/src //' | awk '{gsub(/^\s+|\s+$/, "");print}')

if [ "X$LOCAL_IP" == "X" ] || (! echo $LOCAL_IP | grep -Eq '^([0-9]{1,3}\.){3}[0-9]{1,3}$'); then

LOCAL_IP=$(ip add | grep -w inet | grep -v 127.0.0.1 | awk NR==1'{print $2}' | cut -d "/" -f 1)

fi

获取网卡名称

function get_cfgname(){
    ipa_info=$(ip a)
    line=$(echo "${ipa_info}" | sed -n -e "/\<${LOCAL_IP}\>/=")
    detect_cfgname=$(echo "${ipa_info}" | sed -n "1,${line}p" | grep '^[0-9]' | sed -n '$p' | awk -F ':| ' '{print $3}')
    echo $detect_cfgname
}

function interface_check() {
    cfgname=$(get_cfgname)
    # 判断网卡名称，此变量由环境变量传过来,如没有传时，则根据ip来反推网卡名称
    if [ "X$ifCfgName" == "X" ]; then
        ifCfgName=$cfgname
        if [ "X$ifCfgName" != "X" ]; then
            echo_color info "经自动探测，服务器网卡名称为：${ifCfgName}"
        else
            echo_color error "服务器网卡名称：${ifCfgName} 不存在, 请再次确认！"
            exit 1
        fi
    elif [ "$ifCfgName" != "$cfgname" ]; then
        detect_ipaddr=$(ip addr | awk '/inet/ && ! /\/32/ {ip[$NF] = $2; sub(/\/.*$/,"",ip[$NF])} END {for(i in ip){if(i ~ "'$ifCfgName'") print ip[i]}}')
        if [ "$LOCAL_IP" != "$detect_ipaddr" ]; then
            echo_color warning "填的网卡名称是$ifCfgName,跟探测的网卡名称$cfgname 不一致,请再次确认！"
            exit 1
        fi
    else
        echo_color info "填写的服务器网卡名称为：${ifCfgName}"
    fi

    write_restore_end
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

function get_cfgname(){

ipa_info=$(ip a)

line=$(echo "${ipa_info}" | sed -n -e "/\<${LOCAL_IP}\>/=")

detect_cfgname=$(echo "${ipa_info}" | sed -n "1,${line}p" | grep '^[0-9]' | sed -n '$p' | awk -F ':| ' '{print $3}')

echo $detect_cfgname

}

function interface_check() {

cfgname=$(get_cfgname)

# 判断网卡名称，此变量由环境变量传过来,如没有传时，则根据ip来反推网卡名称

if [ "X$ifCfgName" == "X" ]; then

ifCfgName=$cfgname

if [ "X$ifCfgName" != "X" ]; then

echo_color info "经自动探测，服务器网卡名称为：${ifCfgName}"

else

echo_color error "服务器网卡名称：${ifCfgName} 不存在, 请再次确认！"

exit 1

fi

elif [ "$ifCfgName" != "$cfgname" ]; then

detect_ipaddr=$(ip addr | awk '/inet/ && ! /\/32/ {ip[$NF] = $2; sub(/\/.*$/,"",ip[$NF])} END {for(i in ip){if(i ~ "'$ifCfgName'") print ip[i]}}')

if [ "$LOCAL_IP" != "$detect_ipaddr" ]; then

echo_color warning "填的网卡名称是$ifCfgName,跟探测的网卡名称$cfgname 不一致,请再次确认！"

exit 1

fi

else

echo_color info "填写的服务器网卡名称为：${ifCfgName}"

fi

write_restore_end

}

方案二通过ansible_default_ipv4变量获取IP：

if [[ "$useIPV6" == "true" ]]; then
    filter=ansible_default_ipv6
else        
    filter=ansible_default_ipv4
fi
# define parameters of address and interface
eval $(ansible localhost -m setup -a 'gather_subset=!all,network filter='$filter''|egrep "\"interface\"|\"address\""|awk -F': ' '{gsub(/"|,| /,"",$0);gsub(/:/,"=",$0);print $0}')

LOCAL_IP=$address

1

2

3

4

5

6

7

8

9

if [[ "$useIPV6" == "true" ]]; then

filter=ansible_default_ipv6

else

filter=ansible_default_ipv4

fi

# define parameters of address and interface

eval $(ansible localhost -m setup -a 'gather_subset=!all,network filter='$filter''|egrep "\"interface\"|\"address\""|awk -F': ' '{gsub(/"|,| /,"",$0);gsub(/:/,"=",$0);print $0}')

LOCAL_IP=$address

获取网卡名称：

    # 判断网卡名称，此变量由环境变量传过来,如没有传时，则提取ansible_default_ipv4变量
    if [ "X$ifCfgName" == "X" ]; then
        ifCfgName=$interface
        echo_color info "经自动探测，服务器网卡名称为：${ifCfgName}"
    elif [ "$ifCfgName" != "$interface" ]; then
        echo_color warning "填的网卡名称是$ifCfgName,跟探测的网卡名称$interface 不一致,请再次确认！"
        exit 1
    else
        echo_color info "填写的服务器网卡名称为：${ifCfgName}"
    fi

1

2

3

4

5

6

7

8

9

10

# 判断网卡名称，此变量由环境变量传过来,如没有传时，则提取ansible_default_ipv4变量

if [ "X$ifCfgName" == "X" ]; then

ifCfgName=$interface

echo_color info "经自动探测，服务器网卡名称为：${ifCfgName}"

elif [ "$ifCfgName" != "$interface" ]; then

echo_color warning "填的网卡名称是$ifCfgName,跟探测的网卡名称$interface 不一致,请再次确认！"

exit 1

else

echo_color info "填写的服务器网卡名称为：${ifCfgName}"

fi

By sean, 2 years02/26/2024 ago

SECURITY

Linux使用safe-rm防止误删系统文件

前言 safe-rm 是一款用来替代不安全 rm 的开源软件，可以在 /etc/safe-rm.conf 文件中配置保护名单，定义哪些文件不能被 rm 删除，可用于防止执行 rm -rf 命令导致文件被误删的发生。安装 safe-rm 工具 0.x版本的是通过shell脚本来实现的，而1.x版本则通过rust来实现的，需要现编译。 0.12版本下载安装：

# 下载文件<span>（-c 的作用是可以断点续传）</span>
# wget -c https://launchpadlibrarian.net/188958703/safe-rm-0.12.tar.gz

# 解压文件
# tar -xvf safe-rm-0.12.tar.gz

# 拷贝可执行文件
# cd safe-rm
# cp safe-rm /bin/

# 建立软链接
# mv /bin/rm /bin/rm.bak
# ln -s /bin/safe-rm /bin/rm

1

2

3

4

5

6

7

8

9

10

11

12

13

# 下载文件（-c 的作用是可以断点续传）

# wget -c https://launchpadlibrarian.net/188958703/safe-rm-0.12.tar.gz

# 解压文件

# tar -xvf safe-rm-0.12.tar.gz

# 拷贝可执行文件

# cd safe-rm

# cp safe-rm /bin/

# 建立软链接

# mv /bin/rm /bin/rm.bak

# ln -s /bin/safe-rm /bin/rm

创建 safe-rm 配置文件，添加保护名单

# 默认的safe-rm配置文件有以下两个，需要自行创建

全局配置：/etc/safe-rm.conf
用户配置：~/.safe-rm

# 创建全局配置文件
# touch /etc/safe-rm.conf

# 添加保护名单
# vim /etc/safe-rm.conf
/
/*
/etc
/etc/*
/usr
/usr/*
/usr/local
/usr/local/*
/usr/local/bin
/usr/local/bin/*
/bin/*
/boot/*
/dev/*
/etc/*
/home/*
/lib/*
/lib64/*
/media/*
/mnt/*
/opt/*
/proc/*
/root/*
/run/*
/sbin/*
/srv/*
/sys/*
/var/*

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

# 默认的safe-rm配置文件有以下两个，需要自行创建

全局配置：/etc/safe-rm.conf

用户配置：~/.safe-rm

# 创建全局配置文件

# touch /etc/safe-rm.conf

# 添加保护名单

# vim /etc/safe-rm.conf

/

/*

/etc

/etc/*

/usr

/usr/*

/usr/local

/usr/local/*

/usr/local/bin

/usr/local/bin/*

/bin/*

/boot/*

/dev/*

/etc/*

/home/*

/lib/*

/lib64/*

/media/*

/mnt/*

/opt/*

/proc/*

/root/*

/run/*

/sbin/*

/srv/*

/sys/*

/var/*

测试 save-rm 是否生效

# 创建测试文件
# touch /home/test.txt

# 追加需要保护的文件路径到配置文件中
# vim /etc/safe-rm.conf
/home/test.txt

# 测试删除受保护的文件路径，如果输出skipping日志代表safe-rm生效
# rm /home/test.txt
# rm -rf /home/test.txt
safe-rm: skipping /home/test.txt

# 注意：
# 配置文件里面的/etc只能保证执行"rm -rf /etc"命令的时候不能删除，但是如果执行"rm -rf /etc/app"，还是可以删除app文件的
# 如果想保证某个目录下面的所有文件都不被删除，则配置文件里可以写成/etc/*，但使用通配符的方式无法避免/etc目录下链接文件被删除
# 例如/lib或/lib64这种目录，下面会有很多库文件对应的链接文件，使用safe-rm并不能保护链接文件被删除
# 建议将/etc/safe-rm.conf加入到保护名单中，防止/etc/safe-rm.conf被删后配置失效

<span># 使用系统默认的删除命令，此时safe</span><span class="token operator">-</span><span>rm的保护作用将失效 # </span><span class="token operator">/</span><span>usr</span><span class="token operator">/</span><span>bin</span><span class="token operator">/</span><span>rm </span><span class="token operator">-</span><span>rf </span><span class="token operator">/</span><span>etc</span><span class="token operator">/</span><span>app</span>

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

# 创建测试文件

# touch /home/test.txt

# 追加需要保护的文件路径到配置文件中

# vim /etc/safe-rm.conf

/home/test.txt

# 测试删除受保护的文件路径，如果输出skipping日志代表safe-rm生效

# rm /home/test.txt

# rm -rf /home/test.txt

safe-rm: skipping /home/test.txt

# 注意：

# 配置文件里面的/etc只能保证执行"rm -rf /etc"命令的时候不能删除，但是如果执行"rm -rf /etc/app"，还是可以删除app文件的

# 如果想保证某个目录下面的所有文件都不被删除，则配置文件里可以写成/etc/*，但使用通配符的方式无法避免/etc目录下链接文件被删除

# 例如/lib或/lib64这种目录，下面会有很多库文件对应的链接文件，使用safe-rm并不能保护链接文件被删除

# 建议将/etc/safe-rm.conf加入到保护名单中，防止/etc/safe-rm.conf被删后配置失效

# 使用系统默认的删除命令，此时safe-rm的保护作用将失效 # /usr/bin/rm -rf /etc/app

1.1.0版本下载安装： 1.x版本解决了软链接文件的问题，保护目录下的软链接文件也不会被删除。官网地址是https://launchpad.net/safe-rm/trunk/1.1.0

#下载safe-rm源码
wget -c https://launchpad.net/safe-rm/trunk/1.1.0/+download/safe-rm-1.1.0.tar.gz

#解压
tar -zxvf safe-rm-1.1.0.tar.gz 
#安装依赖
yum install cargo
cd safe-rm-1.1.0/
#编译，编译完的safe-rm文件大小是11M
make
#移动功能文件到系统目录
mv target/release/safe-rm /usr/local/bin/
#替换rm命令
echo 'alias rm="safe-rm -i"' >> /etc/bashrc
#刷新修改的文件
source /etc/bashrc
#创建链接,将safe-rm替换rm
ln -s /usr/local/bin/safe-rm /usr/local/bin/rm
echo 'PATH=/usr/local/bin:$PATH' >>  /etc/profile
source /etc/profile

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

#下载safe-rm源码

wget -c https://launchpad.net/safe-rm/trunk/1.1.0/+download/safe-rm-1.1.0.tar.gz

#解压

tar -zxvf safe-rm-1.1.0.tar.gz

#安装依赖

yum install cargo

cd safe-rm-1.1.0/

#编译，编译完的safe-rm文件大小是11M

make

#移动功能文件到系统目录

mv target/release/safe-rm /usr/local/bin/

#替换rm命令

echo 'alias rm="safe-rm -i"' >> /etc/bashrc

#刷新修改的文件

source /etc/bashrc

#创建链接,将safe-rm替换rm

ln -s /usr/local/bin/safe-rm /usr/local/bin/rm

echo 'PATH=/usr/local/bin:$PATH' >> /etc/profile

source /etc/profile

By sean, 2 years02/21/2024 ago

SECURITY

centos7通过snap安装certbot免费获取并自动续期https证书

之前一直使用certbot-auto来获取https证书，后来更换了新域名，重新生成证书时，报：“Your system is not supported by certbot-auto anymore.”，查了一下是因为certbot-auto团队没有精力为所有操作系统进行维护，所以包括centos7在内的许多系统已不被支持，目前certbot不推荐在centos7上使用仓库安装，官方建议使用snap进行certbot的安装和更新。官方原文如下： While the Certbot team tries to keep the Certbot packages offered by various operating systems working in the most basic sense, due to distribution policies and/or the limited resources of distribution maintainers, Certbot OS packages often have problems that other Read more…

By sean, 2 years02/04/2024 ago

HANDBOOK

挂载nfs目录导致 df 命令卡死问题解决

问题： linux服务器挂载了一个含有海量文件的 nfs 目录，当使用 df命令时卡住了？先确认下是不是这个 nfs 目录的原因，使用strace df -h跟踪一下是哪个系统调用有问题。遇到卡住的地方就会停住

[root@node1 ~]# strace df -h
execve("/usr/bin/df", ["df", "-h"], 0x7ffefb6cbde8 /* 23 vars */) = 0
brk(NULL)                               = 0x230b000
...
...
statfs("/data/nfs",    #卡住的地方，确实是挂载的nfs目录

1

2

3

4

5

6

[root@node1 ~]# strace df -h

execve("/usr/bin/df", ["df", "-h"], 0x7ffefb6cbde8 /* 23 vars */) = 0

brk(NULL) = 0x230b000

...

statfs("/data/nfs", #卡住的地方，确实是挂载的nfs目录

nfsstat -m命令定位一下挂载的目录结果发现，服务器是挂载了一台不存在的nfs server导致的处理：先查看目录 mount -l 列出挂载的目录强制卸载目录 umount -f -l 挂载的目录，如：umount -f -l /data/nfs

By sean, 2 years01/23/2024 ago

PROGRAMMING

mysql 备份和修改表

#!/bin/bash

DB_USER='ro_all_db'
DATE=`date -d"today" +%Y%m%d`
TIME=`date "+%Y-%m-%d %H:%M:%S"`
MYSQL_SOURCE='172.20.x.x'
# DB_PASSWORD='xxxx'

echo '--------------开始备份:开始时间为 '$TIME
BEGIN=`date "+%Y-%m-%d %H:%M:%S"`
BEGIN_T=`date -d "$BEGIN" +%s`
echo '===>备份'$MYSQL_SOURCE'的mysql实例，开始时间为 '$BEGIN
BACKUP_DIR=/data/backup/$DATE/$MYSQL_SOURCE;
mkdir -p  $BACKUP_DIR;

for i in `mysql --ssl-mode=DISABLED -h$MYSQL_SOURCE -u$DB_USER -p'mypasswd' -B iuap_apcom_supportcenter -e "show tables;" | grep 'multilang_'`; do
	echo "-->开始备份表$i"
	mysqldump --ssl-mode=DISABLED --skip-opt -h$MYSQL_SOURCE -u$DB_USER -p'mypasswd' iuap_apcom_supportcenter $i > $BACKUP_DIR/$i.sql
	echo "-->表${i}已经备份完成"
done

cd $BACKUP_DIR
mkdir $BACKUP_DIR/replace_sql
for i in `ls *.sql`; do
	cat $i | sed -n '/^INSERT INTO/p'|sed 's/^INSERT INTO/REPLACE INTO/g'> $BACKUP_DIR/replace_sql/$i
done


cd $BACKUP_DIR/replace_sql
let num=1
echo "--------------开始修改:开始时间为 `date "+%Y-%m-%d %H:%M:%S"`"
for i in `ls *.sql`; do
	echo "$num-->开始修改表：$i，开始时间为 `date "+%Y-%m-%d %H:%M:%S"`"
	mysql -h172.20.1.1 -upremises -pmypasswd iuap_apcom_supportcenter < $i
	echo "$num-->完成修改表：$i，完成时间为 `date "+%Y-%m-%d %H:%M:%S"`"
	let num+=1
done
TIME=`date "+%Y-%m-%d %H:%M:%S"`
echo "--------------结束修改:时间为`date "+%Y-%m-%d %H:%M:%S"`"

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

#!/bin/bash

DB_USER='ro_all_db'

DATE=`date -d"today" +%Y%m%d`

TIME=`date "+%Y-%m-%d %H:%M:%S"`

MYSQL_SOURCE='172.20.x.x'

# DB_PASSWORD='xxxx'

echo '--------------开始备份:开始时间为 '$TIME

BEGIN=`date "+%Y-%m-%d %H:%M:%S"`

BEGIN_T=`date -d "$BEGIN" +%s`

echo '===>备份'$MYSQL_SOURCE'的mysql实例，开始时间为 '$BEGIN

BACKUP_DIR=/data/backup/$DATE/$MYSQL_SOURCE;

mkdir -p $BACKUP_DIR;

for i in `mysql --ssl-mode=DISABLED -h$MYSQL_SOURCE -u$DB_USER -p'mypasswd' -B iuap_apcom_supportcenter -e "show tables;" | grep 'multilang_'`; do

echo "-->开始备份表$i"

mysqldump --ssl-mode=DISABLED --skip-opt -h$MYSQL_SOURCE -u$DB_USER -p'mypasswd' iuap_apcom_supportcenter $i > $BACKUP_DIR/$i.sql

echo "-->表${i}已经备份完成"

done

cd $BACKUP_DIR

mkdir $BACKUP_DIR/replace_sql

for i in `ls *.sql`; do

cat $i | sed -n '/^INSERT INTO/p'|sed 's/^INSERT INTO/REPLACE INTO/g'> $BACKUP_DIR/replace_sql/$i

done

cd $BACKUP_DIR/replace_sql

let num=1

echo "--------------开始修改:开始时间为 `date "+%Y-%m-%d %H:%M:%S"`"

for i in `ls *.sql`; do

echo "$num-->开始修改表：$i，开始时间为 `date "+%Y-%m-%d %H:%M:%S"`"

mysql -h172.20.1.1 -upremises -pmypasswd iuap_apcom_supportcenter < $i

echo "$num-->完成修改表：$i，完成时间为 `date "+%Y-%m-%d %H:%M:%S"`"

let num+=1

done

TIME=`date "+%Y-%m-%d %H:%M:%S"`

echo "--------------结束修改:时间为`date "+%Y-%m-%d %H:%M:%S"`"

By sean, 2 years01/18/2024 ago

HANDBOOK

使用 GitHub Actions 编译 kubernetes 组件

在使用 kubernetes 过程中由于某些需求往往要修改一下 k8s 官方的源码，然后重新编译才行。本文就以修改 kubeadm 生成证书为默认 100 年为例，来讲解如何使用 GitHub Actions 来编译和发布生成的二进制文件。构建 clone repo 将 kubernetes 官方源码 fork 到自己的 repo 中

$ git clone https://github.com/k8sli/kubernetes.git
$ cd kubernetes
$ git remote add upstream https://github.com/kubernetes/kubernetes.git
$ git fetch --all
$ git checkout upstream/release-1.32
$ git checkout -B kubeadm-1.32

1

2

3

4

5

6

$ git clone https://github.com/k8sli/kubernetes.git

$ cd kubernetes

$ git remote add upstream https://github.com/kubernetes/kubernetes.git

$ git fetch --all

$ git checkout upstream/release-1.32

$ git checkout -B kubeadm-1.32

注：如果github上没有相关branch，也需要基于upstream来首先creat一个分支(比如release-1.32) workflow .github/workflows/kubeadm.yaml

---
name: Build kubeadm binary

on:
  push:
    tag:
      - 'v*'
  # 手动触发事件
  workflow_dispatch:
jobs:
  build:
    runs-on: ubuntu-20.04
    # 这里我们选择以 tag 的方式惩触发 job 的运行
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Build kubeadm binary
        shell: bash
        run: |
          # 运行 build/run.sh 构建脚本来编译相应平台上的二进制文件
          build/run.sh make kubeadm KUBE_BUILD_PLATFORMS=linux/amd64
          build/run.sh make kubeadm KUBE_BUILD_PLATFORMS=linux/arm64

      # 构建好的二进制文件存放在 _output/dockerized/bin/ 中
      # 我们根据二进制目标文件的系统名称+CPU体系架构名称进行命名
      - name: Prepare for upload
        shell: bash
        run: |
          mv _output/dockerized/bin/linux/amd64/kubeadm kubeadm-linux-amd64
          mv _output/dockerized/bin/linux/arm64/kubeadm kubeadm-linux-arm64
          sha256sum kubeadm-linux-{amd64,arm64} > sha256sum.txt

      # 使用 softprops/action-gh-release 来将构建产物上传到 GitHub release 当中
      - name: Release and upload packages
        uses: softprops/action-gh-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          files: |
            sha256sum.txt
            kubeadm-linux-amd64
            kubeadm-linux-arm64

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

---

name: Build kubeadm binary

on:

push:

tag:

- 'v*'

# 手动触发事件

workflow_dispatch:

jobs:

build:

runs-on: ubuntu-20.04

# 这里我们选择以 tag 的方式惩触发 job 的运行

if: startsWith(github.ref, 'refs/tags/')

steps:

- name: Checkout

uses: actions/checkout@v2

- name: Build kubeadm binary

shell: bash

run: |

# 运行 build/run.sh 构建脚本来编译相应平台上的二进制文件

build/run.sh make kubeadm KUBE_BUILD_PLATFORMS=linux/amd64

build/run.sh make kubeadm KUBE_BUILD_PLATFORMS=linux/arm64

# 构建好的二进制文件存放在 _output/dockerized/bin/ 中

# 我们根据二进制目标文件的系统名称+CPU体系架构名称进行命名

- name: Prepare for upload

shell: bash

run: |

mv _output/dockerized/bin/linux/amd64/kubeadm kubeadm-linux-amd64

mv _output/dockerized/bin/linux/arm64/kubeadm kubeadm-linux-arm64

sha256sum kubeadm-linux-{amd64,arm64} > sha256sum.txt

# 使用 softprops/action-gh-release 来将构建产物上传到 GitHub release 当中

- name: Release and upload packages

uses: softprops/action-gh-release@v1

env:

GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

with:

files: |

sha256sum.txt

kubeadm-linux-amd64

kubeadm-linux-arm64

build/run.sh : Run a command in a build docker container. Common invocations: build/run.sh make: Build just linux binaries in the container. Pass options Read more…

By sean, 2 years12/26/2023 ago

HANDBOOK

github的token使用方法

github的token使用方法今天从本地向github push代码发，失败了。错误消息如下： remote: Support for password authentication was remove on August 123, 2021. Please use a personal access token instead. 原因是github不再使用密码方式验证身份，现在使用个人token。本文记录，如何生成token 在命令行下怎样使用token github如何生成token github的官方有给出如何生成个人token的文档。参考github官网生成token文档命令行如何使用token 之前，github使用用户名和密码作为身份验证，现在使用用户名和token作为验证。比如，github官网给出的示例。克隆一个仓库，提示输入用户名和密码，此处就可以使用上面生成的token作为密码使用。

$ git clone https://github.com/username/repo.git
Username: your_username
Password: your_token

1

2

3

$ git clone https://github.com/username/repo.git

Username: your_username

Password: your_token

但是有一个问题，我们总不能记住那么长的一串token吧为了解决这个问题，github提供了gh工具，通过gh登录验证身份后，之后再不需要验证身份。此处只演示ubuntu安装gh工具。

$ sudo apt update
$ sudo apt install snapd
$ sudo apt install gh

1

2

3

$ sudo apt update

$ sudo apt install snapd

$ sudo apt install gh

然后使用gh进行认证

$ gh auth login
# 输入你的用户名和token

1 2	$ gh auth login # 输入你的用户名和token

如下图所示：使用键盘上下键选择对应项，回车键确认。依次选择Github.com, HTTPS（如果使用的https协议）, 选择使用网页浏览器认证或者粘贴token认证，二者选择一个即可。如果是ssh远程登录，命令行中无法打开远程的浏览器，那么只能选择token验证了。选择使用网页认证：先复制命令行中生成的一次性验证码，比如我这里本次是5C38-D954。然后回车，自动打开网页浏览器，输入一次性验证码，授权即可完成认证。如果上面选择使用token认证，那么输入你的token即可。如果换了一台机器，那么重新生成一个新的token，然后gh auth login即可。

By sean, 2 years12/26/2023 ago

HANDBOOK

解决ansible mitogen 0.3.0+ 插件未渲染ansible_ssh_common_args模板变量问题

问题使用ansible mitogen 0.3.4插件进行kubespray安装时，报错： EOF on stream; last 100 lines received:\nssh: Could not resolve hostname {%: Name or service not known 分析经过debug分析，kubespray-default默认定义了如下变量模板：

ansible_ssh_common_args: |
"{% if 'bastion' in groups['all'] %} -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p 
-p {{ hostvars['bastion']['ansible_port'] | default(22) }} {{ hostvars['bastion']['ansible_user'] }}@{{ hostvars['bastion']['ansible_host'] }} {% if ansible_ssh_private_key_file is defined %}
-i {{ ansible_ssh_private_key_file }}{% endif %} ' {% endif %}"

1

2

3

4

ansible_ssh_common_args: |

"{% if 'bastion' in groups['all'] %} -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p

-p {{ hostvars['bastion']['ansible_port'] | default(22) }} {{ hostvars['bastion']['ansible_user'] }}@{{ hostvars['bastion']['ansible_host'] }} {% if ansible_ssh_private_key_file is defined %}

-i {{ ansible_ssh_private_key_file }}{% endif %} ' {% endif %}"

但是通过ansible role去执行后，通过mitogen进行ssh并没有渲染出来变量：

mitogen.parent: command line for Connection(None): ssh -o "LogLevel ERROR" -l root -p 22 -o "Compression yes" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 10" 
-o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" -o "GlobalKnownHostsFile /dev/null" -C -o ControlMaster=auto 
-o ControlPersist=60s {% if bastion in groups[all] %} -o "ProxyCommand=ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p 
-p {{ hostvars[bastion][ansible_port] | default(22) }} {{ hostvars[bastion][ansible_user] }}@{{ hostvars[bastion][ansible_host] }} {% if ansible_ssh_private_key_file is defined %}
-i {{ ansible_ssh_private_key_file }}{% endif %} " {% endif %} 172.20.59.209 /usr/bin/python -c

1

2

3

4

5

mitogen.parent: command line for Connection(None): ssh -o "LogLevel ERROR" -l root -p 22 -o "Compression yes" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 10"

-o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" -o "GlobalKnownHostsFile /dev/null" -C -o ControlMaster=auto

-o ControlPersist=60s {% if bastion in groups[all] %} -o "ProxyCommand=ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p

-p {{ hostvars[bastion][ansible_port] | default(22) }} {{ hostvars[bastion][ansible_user] }}@{{ hostvars[bastion][ansible_host] }} {% if ansible_ssh_private_key_file is defined %}

-i {{ ansible_ssh_private_key_file }}{% endif %} " {% endif %} 172.20.59.209 /usr/bin/python -c

可以看到，mitogen的ssh将ansible_ssh_common_args原封不动地输出来了修改源码验证：修改transport_config.py，增加debug信息：

476     def ssh_args(self):
478         print('------------>')
479         print('ssh_args: ',C.config.get_config_value("ssh_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {})))
480         print('ssh_common_args: ',C.config.get_config_value("ssh_common_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {})))
481         print('ssh_extra_args: ', C.config.get_config_value("ssh_extra_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {})))
482         print('----------->')
483         return [
484             mitogen.core.to_text(term)
485             for s in (
486                 C.config.get_config_value("ssh_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {})),
487                 C.config.get_config_value("ssh_common_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {})),
488                 C.config.get_config_value("ssh_extra_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {}))
489                 #C.config.get_config_value("ssh_args", plugin_type="connection", plugin_name="ssh", variables=local_vars),
490                 #C.config.get_config_value("ssh_common_args", plugin_type="connection", plugin_name="ssh", variables=local_vars),
491                 #C.config.get_config_value("ssh_extra_args", plugin_type="connection", plugin_name="ssh", variables=local_vars)
492             )
493             for term in ansible.utils.shlex.shlex_split(s or '')
494         ]

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

476 def ssh_args(self):

478 print('------------>')

479 print('ssh_args: ',C.config.get_config_value("ssh_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {})))

480 print('ssh_common_args: ',C.config.get_config_value("ssh_common_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {})))

481 print('ssh_extra_args: ', C.config.get_config_value("ssh_extra_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {})))

482 print('----------->')

483 return [

484 mitogen.core.to_text(term)

485 for s in (

486 C.config.get_config_value("ssh_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {})),

487 C.config.get_config_value("ssh_common_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {})),

488 C.config.get_config_value("ssh_extra_args", plugin_type="connection", plugin_name="ssh", variables=self._task_vars.get("vars", {}))

489 #C.config.get_config_value("ssh_args", plugin_type="connection", plugin_name="ssh", variables=local_vars),

490 #C.config.get_config_value("ssh_common_args", plugin_type="connection", plugin_name="ssh", variables=local_vars),

491 #C.config.get_config_value("ssh_extra_args", plugin_type="connection", plugin_name="ssh", variables=local_vars)

492 )

493 for term in ansible.utils.shlex.shlex_split(s or '')

494 ]

下面是输出：

------------>
ssh_args:  -o ControlMaster=auto -o ControlPersist=1d -o UserKnownHostsFile=/dev/null -o ConnectTimeout=30 -o Compression=yes -o TCPKeepAlive=yes -o ServerAliveInterval=60 -o StrictHostKeyChecking=no -o AddKeysToAgent=yes -o ControlPath=~/.ssh/%r@%h-%p
ssh_common_args:  {% if 'bastion' in groups['all'] %} -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p -p {{ hostvars['bastion']['ansible_port'] | default(22) }} {{ hostvars['bastion']['ansible_user'] }}@{{ hostvars['bastion']['ansible_host'] }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %} ' {% endif %}
ssh_extra_args:  
----------->

1

2

3

4

5

------------>

ssh_args: -o ControlMaster=auto -o ControlPersist=1d -o UserKnownHostsFile=/dev/null -o ConnectTimeout=30 -o Compression=yes -o TCPKeepAlive=yes -o ServerAliveInterval=60 -o StrictHostKeyChecking=no -o AddKeysToAgent=yes -o ControlPath=~/.ssh/%r@%h-%p

ssh_common_args: {% if 'bastion' in groups['all'] %} -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p -p {{ hostvars['bastion']['ansible_port'] | default(22) }} {{ hostvars['bastion']['ansible_user'] }}@{{ hostvars['bastion']['ansible_host'] }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %} ' {% endif %}

ssh_extra_args:

----------->

可以看到ssh_common_args变量没有渲染解决将_task_vars.get(“vars”, {}) 改为 _task_vars.get(“hostvars”, {})，从hostvars取值搜索官方issures: https://github.com/mitogen-hq/mitogen/pull/956 commit ac34252bcccb60b50e6a8ed3a3b2f42d256d62e0 https://github.com/mitogen-hq/mitogen/pull/956/commits/ac34252bcccb60b50e6a8ed3a3b2f42d256d62e0 总结 Read more…

By sean, 2 years12/07/2023 ago