centos 7 cluster
Procedura di setup Centos 7:
yum install epel-release.noarch yum install net-tools yum install psmisc yum install httpd yum install perl yum install perl-Digest-MD5 rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm yum install -y kmod-drbd84 drbd84-utils crm_verify -L -V /bin/systemctl start pacemaker.service crmadmin configure property stonith-enabled=false service corosync restart service pacemaker restart yum install nmap yum install open-vm-tools service vmtoolsd start systemctl enable vmtoolsd yum install acpid yum install unzip yum install mod_ssl.x86_64
Configurazione cluster unicast:
logging { fileline: off to_logfile: yes logfile: /var/log/cluster/corosync.log to_stderr: no debug: off timestamp: on to_syslog: yes logger_subsys { subsys: QUORUM debug: off } } totem { version: 2 token: 3000 secauth: on rrp_mode: active interface { member { memberaddr: 172.31.252.41 } member { memberaddr: 172.31.252.42 } ringnumber: 0 bindnetaddr: 172.31.252.0 mcastport: 694 ttl: 1 } transport: udpu } quorum { provider: corosync_votequorum expected_votes: 2 } </code> Configurazione Apache come reverse proxy: <code> <VirtualHost *:80> ServerName webmail.xxxx.it Redirect / https://webmail.xxxx.it/ # ProxyRequests Off # <Proxy *> # Order deny,allow # Allow from all # </Proxy> # ProxyPass / http://XX.XX.XX.XX/ # ProxyPassReverse / http://XX.XX.XX.XX/ </VirtualHost> <VirtualHost *:443> ServerName webmail.xxxx.it RewriteEngine on ProxyPass / http://XX.XX.XX.XX/ retry=0 ttl=120 timeout=120 ProxyPassReverse / http://XX.XX.XX.XX/ <IfModule mod_ssl.c> SSLEngine On SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" #SSLSessionCache shmcb:/run/httpd/sslcache(512000) #SSLSessionCacheTimeout 300 #128bit #SSLProtocol ALL -SSLv2 #SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DS # 40 bit #SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW SSLCertificateFile /etc/httpd/ssl/2017/STAR_xxxx_it.crt SSLCertificateChainFile /etc/httpd/ssl/2017/COMODORSADomainValidationSecureServerCA.crt SSLCertificateKeyFile /etc/httpd/ssl/2017/xxxx.it.key ErrorDocument 403 http://www.xxxx.it/ ErrorDocument 404 http://www.xxxx.it/ </IfModule> ProxyRequests on ProxyVia on AddOutputFilterByType SUBSTITUTE text/html </VirtualHost>
Configurazione di sicurezza vari servizi:
https://cipherli.st/
- Published in Cluster, Sistemistica, Tips & Tricks
Corosync/Pacemaker in Centos 7 con LCMC
Corosync/Pacemaker in Centos 7 con LCMC
Pacchetti da installare
yum install perl yum install perl-Digest-MD5 yum install epel-release rpm -ivh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-elrepo.org yum update yum install kmod-drbd90 drbd90-utils yum install acpid yum install open-vm-tools
/etc/corosync/corosync.conf
logging { fileline: off to_logfile: yes logfile: /var/log/cluster/corosync.log to_stderr: no debug: off timestamp: on to_syslog: yes logger_subsys { subsys: QUORUM debug: off } } totem { version: 2 token: 3000 secauth: on rrp_mode: active transport: udpu } nodelist { node { ring0_addr: 172.21.8.131 nodeid: 1 } node { ring0_addr: 172.21.8.132 nodeid: 2 } } quorum { provider: corosync_votequorum two_node: 1 expected_votes: 2 }
systemctl enable corosync
systemctl enable pacemaker
reboot
andrea
- Published in Sistemistica, Tips & Tricks, vpn
tema vim
.vimrc
#execute pathogen#infect() syntax on filetype plugin indent on set nowrap set t_Co=256 set background=dark colorscheme PaperColor
Tema PaperColor
PaperColor-Dark
Wget in /.vim/colors/
wget https://raw.githubusercontent.com/NLKNguyen/papercolor-theme/master/colors/PaperColor.vim
andrea
- Published in Sistemistica, Tips & Tricks, vpn
Esperimenti con multipath e SAN
http://www-01.ibm.com/support/docview.wss?uid=isg3T1011985
http://www.sysadminshare.com/2013/06/multipath-config-status-check-in-linux.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html-single/DM_Multipath/index.html#config_file_multipath
https://serverfault.com/questions/288087/linux-multipath-not-using-all-paths-and-wont-use-queue-length-path-selector/355151
https://h50146.www5.hpe.com/products/software/oe/linux/mainstream/support/doc/option/fibre/pdfs/c02020121.pdf
grep mpt /sys/class/scsi_host/host?/proc_name
rescan-scsi-bus.sh
echo “- – -” > /sys/class/scsi_host/host1/scan
multipath -l
multipathd -k”fail path sdb”
multipathd -k”del path sdb”
multipathd -k”reinstate path sdb”
multipathd -k”show paths”
dmsetup remove /dev/mapper/MSA_BELLNET
dmsetup ls
echo 1 > /sys/block/sde/device/delete
echo 1 > /sys/block/sda/device/rescan
service multipath-tools restart
partprobe /dev/sdb
sfdisk -R /dev/sdb
partx -u /dev/sdb
blockdev –rereadpt /dev/mapper/MSA_BELLNET
partprobe -s
pvcreate –uuid “DMD39I-rIMF-vVUc-6KaY-li2N-SF4n-v38O5m” –restorefile /root/VG-BELL.vg /dev/disk/by-id/scsi-MSA_BELLNET
vgcfgbackup -f VG-BELL.vg VG-BELL
vgcfgrestore -f VG-BELL.vg VG-BELL
multipath.conf
defaults { polling_interval 15 path_selector "round-robin 0" path_grouping_policy multibus prio const path_checker directio rr_min_io 100 flush_on_last_del no max_fds 8192 rr_weight priorities failback immediate no_path_retry fail queue_without_daemon no user_friendly_names yes mode 644 uid 0 gid disk } blacklist { devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*" devnode "^hd[a-z]" devnode "^sda" devnode "^sda[0-9]" wwid "3600508b1001c1f5b93df16da7e7ab72e" wwid "3600508b1001c81da7e4515d6a1c3a693" wwid "OCZ-VELO_DRIVE_OCZ-938561J47139J405" wwid "OCZ-VELO_DRIVE_OCZ-ADU3LJ4GZL225676" wwid "OCZ-VELO_DRIVE_OCZ-V98FXMA0Q041W67U" # wwid 3600c0ff0001432f020c55c5901000000 device { vendor HP product "P410i|LOGICAL" } } devices { device { vendor "HP" product "P2000 G3*" path_grouping_policy "group_by_prio" # uid_attribute "ID_SERIAL" path_checker "tur" path_selector "round-robin 0" features "0" hardware_handler "0" prio "alua" rr_weight "uniform" failback "immediate" no_path_retry 18 rr_min_io 100 } } multipaths { multipath { wwid 3600c0ff00014e4ed9724235801000000 alias MSA_NETLITE } multipath { wwid 3600c0ff00014e4edfa37695801000000 alias MSA_NETLITE_BACKUP } multipath { # path_grouping_policy multibus wwid 3600c0ff0001432f020c55c5901000000 alias MSA_BELLNET } multipath { wwid 3600c0ff0001432f0a80e5a5901000000 alias MSA_BELLNET_BACKUP } }
andrea
- Published in Sistemistica, Tips & Tricks, vpn
Proxy Squid
squid.conf
http_port 8081 #http_port 10.1.1.5:8082 pid_filename /var/run/squid3-2.pid cache_mgr [email protected] visible_hostname NETLITEPROXY #dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.123 208.67.220.123 dns_nameservers 10.5.1.5 dns_timeout 1 minutes positive_dns_ttl 1 hours negative_dns_ttl 10 minutes fqdncache_size 51200 ipcache_size 51200 #pipeline_prefetch on cache_dir aufs /var/lib/vz/squid/cache/squid3-2/aufs-small 1024 16 256 max-size=32768 cache_dir aufs /var/lib/vz/squid/cache/squid3-2/aufs-large 4096 16 256 cache_mem 2048 MB minimum_object_size 0 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF memory_pools on maximum_object_size 128 MB minimum_object_size 0 KB maximum_object_size_in_memory 512 KB ie_refresh on cache_access_log /var/log/squid3/access-2.log #cache_access_log /dev/null #cache_log /var/log/squid3/cache-2.log cache_log /dev/null #cache_store_log /var/log/squid3/store-2.log cache_store_log /dev/null logfile_rotate 0 log_mime_hdrs off log_icp_queries off buffered_logs on redirect_rewrites_host_header off acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl SSL_ports port 8080 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports debug_options ALL,1 client_lifetime 12 hour half_closed_clients off pconn_timeout 5 minutes request_timeout 5 minutes connect_timeout 30 seconds authenticate_ttl 15 minutes authenticate_ip_ttl 15 minutes max_open_disk_fds 32768 acl java_jvm browser Java/1. J/SSL #acl localhost src 127.0.0.1/32 #acl reti_abilitate src 127.0.0.1/32 acl reti_abilitate src 10.5.1.0/24 acl netlite src 212.29.137.82/32 #netlite office acl netlite src 87.248.52.82/32 #netlite office acl no_cache_siti dstdomain "/etc/squid3/no-cache-siti.txt" acl siti_pubblici dstdomain "/etc/squid3/siti-pubblici.txt" acl lan-allowed-ip src "/etc/squid3/good-lan-ip.txt" http_access allow lan-allowed-ip # MAC Utenti Bovolone acl MAC arp "/etc/squid3/mac.txt" acl emerge browser Wget http_access allow emerge always_direct allow emerge acl aptupdate browser APT-HTTP http_access allow aptupdate always_direct allow aptupdate http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny connect !SSL_ports http_access allow netlite http_access deny !reti_abilitate http_access allow siti_pubblici http_access allow java_jvm no_cache deny no_cache_siti always_direct allow no_cache_siti #request_header_access Allow allow all #request_header_access Authorization allow all #request_header_access WWW-Authenticate allow all #request_header_access Proxy-Authorization allow all #request_header_access Proxy-Authenticate allow all #request_header_access Cache-Control allow all #request_header_access Content-Encoding allow all #request_header_access Content-Length allow all #request_header_access Content-Type allow all #request_header_access Date allow all #request_header_access Expires allow all #request_header_access Host allow all #request_header_access If-Modified-Since allow all #request_header_access Last-Modified allow all #request_header_access Location allow all #request_header_access Pragma allow all #request_header_access Accept allow all #request_header_access Accept-Charset allow all #request_header_access Accept-Encoding allow all #request_header_access Accept-Language allow all #request_header_access Content-Language allow all #request_header_access Mime-Version allow all #request_header_access Retry-After allow all #request_header_access Title allow all #request_header_access Connection allow all #request_header_access Proxy-Connection allow all #request_header_access User-Agent allow all #request_header_access From allow all #request_header_access Referer allow all #request_header_access Cookie allow all #request_header_access All deny all request_header_access All allow all follow_x_forwarded_for deny all forwarded_for delete via off forwarded_for off http_reply_access allow all icp_access allow all coredump_dir /var/cache balance_on_multiple_ip off #http_access deny !MAC # utilizzati per ftp anonimo ftp_user [email protected] ftp_passive on acl ftp proto FTP acl ftp_port port 21 http_access allow ftp_port CONNECT ftp_epsv off #dns_v4_first on http_access allow all
andrea
- Published in Sistemistica, Tips & Tricks, vpn