分类目录归档:运维 & 基础架构

operations & infrastructure

Python fabric远程自动部署简介



本文主要介绍CentOS 6.3上使用fabric进行自动部署的基本方法。 继续阅读

haproxy: restrict specific URLs to specific IP addresses

This snippet shows you how to use haproxy to restrict certain URLs to certain IP addresses. For example, to make sure your admin interface can only be accessed from your company IP address.

This snippet was tested on haproxy 1.5.

This snippet is tested on a Digital Ocean VPS. If you like this snippet and want to support me, plus get free credit @ DO, use this link to order a Digital Ocean VPS: https://www.digitalocean.com/?refcode=7435ae6b8212

This example restricts access to the /admin/ and /helpdesk URL’s. It only allows access from the IP addresses and Any other IP addresses will get the standard haproxy 403 forbidden error. 继续阅读

Install package network:ha-clustering:Stable / crmsh

For RedHat RHEL-6 run the following as root:

cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/network:ha-clustering:Stable/RedHat_RHEL-6/network:ha-clustering:Stable.repo
yum install crmsh

For Fedora 25 run the following as root:

dnf config-manager --add-repo http://download.opensuse.org/repositories/network:ha-clustering:Stable/Fedora_25/network:ha-clustering:Stable.repo
dnf install crmsh

For CentOS CentOS-7 run the following as root:

cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/network:ha-clustering:Stable/CentOS_CentOS-7/network:ha-clustering:Stable.repo
yum install crmsh

For CentOS CentOS-6 run the following as root:

cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/network:ha-clustering:Stable/CentOS_CentOS-6/network:ha-clustering:Stable.repo
yum install crmsh



ModSecurity是一款免费的开源主机waf软件(@http://www.modsecurity.org/),目前官网最新版本为2.9.1,支持nginx/apache/iis(32、64位)。它主要是作为上述web应用的扩展模块形式存在,通过相关的规则文件,对外部恶意的web攻击进行识别,并作出进一步的丢弃操作。  继续阅读

CIB not supported: validator ‘pacemaker-2.4’, release ‘3.0.10’

[root@a2 ~]# crm configure show
ERROR: CIB not supported: validator ‘pacemaker-2.4’, release ‘3.0.10’
ERROR: You may try the upgrade command
ERROR: configure: Missing requirements

If you look at the first line/tag in your Pacemaker configuration (# cibadmin –query > /tmp/cib.xml) you should see something like the following:
<cib crm_feature_set=”3.0.10″ validate-with=”pacemaker-2.4″ epoch=”6″ num_updates=”8″ …> 继续阅读


1. 前言

Together we will ensure that Kubernetes is a strong and open container management framework for any application and in any environment, whether in a private, public or hybrid cloud.

Urs Hölzle, Google

Kubernetes作为Docker生态圈中重要一员,是Google多年大规模容器管理技术的开源版本,是产线实践经验的最佳表现[G1] 。如Urs Hölzle所说,无论是公有云还是私有云甚至混合云,Kubernetes将作为一个为任何应用,任何环境的容器管理框架无处不在。正因为如此, 目前受到各大巨头及初创公司的青睐,如Microsoft、VMWare、Red Hat、CoreOS、Mesos等,纷纷加入给Kubernetes贡献代码。随着Kubernetes社区及各大厂商的不断改进、发展,Kuberentes将成为容器管理领域的领导者。

接下来我们会用一系列文章逐一探索Kubernetes是什么、能做什么以及怎么做。 继续阅读

Generating password hashes with puppet

Puppet expects the user’s password to be encrypted in the format the local system expects, for most modern Unix-like systems (Linux, *BSD, Solaris, etc.) this format is a salted SHA1 password hash.

To generate a password hash to use with puppet manifest files you can use the mkpasswd utility (it’s available in the whois package):

$ mkpasswd -m sha-512

You can then use the password hash in a puppet manifest file:

user { 'root':
    ensure   => 'present',
    password => '$6$qfPDlAej83p$cj2nc1NjbKjhL42Mo/3Uia4NqD4dIB3ouVeI/tSG92UqH5cMKOA/ihjmxAuRtKHzGED0EHmdM0iNxa/662NW//',

Don’t forget to put the password in quotes so that puppet does not interpret it as a variable if it contains the dollar sign ($).

If you want the passwords to be stored in plain text in the puppet manifest you can use puppet’s generate function to call mkpassword and return the generated the hash version of the password:

$password = 'your_plain_text_password'
user { 'root':
    ensure   => 'present',
    password => generate('/bin/sh', '-c', "mkpasswd -m sha-512 ${password} | tr -d '\n'"),

Manage the Root User Password on Linux

# https://gist.github.com/jeffmccune/2360984
# = Class: site::root_user
# This is a simple class to manage the root user password.
# The shadow hash of an existing password can be easily obtained
# by running `puppet resource user root` on a Linux system
# that has the desired root password already set.
# Puppet will then manage this password everywhere.
# First, I set the password to “puppet” on one Linux node and then get back the
# shadow hash.
# root@pe-centos6:~# passwd root
# Changing password for user root.
# New password:
# BAD PASSWORD: it does not contain enough DIFFERENT characters
# BAD PASSWORD: is too simple
# Retype new password:
# passwd: all authentication tokens updated successfully.
# root@pe-centos6:~# puppet resource user root
# user { ‘root’:
# ensure => ‘present’,
# comment => ‘root’,
# gid => ‘0’,
# groups => [‘root’, ‘bin’, ‘daemon’, ‘sys’, ‘adm’, ‘disk’, ‘wheel’],
# home => ‘/root’,
# password => ‘$6$7pe0INu/$Uxsn.lb/mJjd9394DIJx5JS9a1NVhrpWDpXRtPGS78/BfyShhOf1G0ft7mRHspXDZo6.ezyqpqIXHQ8Tl8ZJt0’,
# password_max_age => ‘99999’,
# password_min_age => ‘0’,
# shell => ‘/bin/bash’,
# uid => ‘0’,
# }
# = Sample Usage
# include site::root_user
# (MARKUP: http://links.puppetlabs.com/puppet_manifest_documentation)
class site::root_user {
# This will enforce the root password of “puppet”
user { root:
ensure => present,
password => ‘$6$7pe0INu/$Uxsn.lb/mJjd9394DIJx5JS9a1NVhrpWDpXRtPGS78/BfyShhOf1G0ft7mRHspXDZo6.ezyqpqIXHQ8Tl8ZJt0’,

Apache Web Server Hardening & Security Guide

A practical guide to secure and harden Apache Web Server.

1. Introduction

The Web Server is a crucial part of web-based applications. Apache Web Server is often placed at the edge of the network hence it becomes one of the most vulnerable services to attack. Having default configuration supply much sensitive information which may help hacker to prepare for an attack the web server.

The majority of web application attacks are through XSS, Info Leakage, Session Management and PHP Injection attacks which are due to weak programming code and failure to sanitize web application infrastructure. According to the security vendor Cenzic, 96% of tested applications have vulnerabilities. Below chart from Cenzic shows the vulnerability trend report of 2013.

This practical guide provides you the necessary skill set to secure Apache Web Server. In this course, we will talk about how to Harden & Secure Apache Web Server on Unix platform. Following are tested on Apache 2.4.x and I don’t see any reason it won’t work with Apache 2.2.x.

  1. This assumes you have installed Apache on UNIX platform. If not, you can go through Installation guide. You can also refer very free video about how to Install Apache, MySQL & PHP.
  2. We will call Apache installation directory /opt/apache as $Web_Server throughout this course.
  3. You are advised to take a backup of existing configuration file before any modification.



QQ会员活动运营平台(AMS),是QQ会员增值运营业务的重要载体之一,承担海量活动运营的Web系统。AMS是一个主要采用PHP语言实现的活动运营平台, CGI日请求3亿左右,高峰期达到8亿。然而,在之前比较长的一段时间里,我们都采用了比较老旧的基础软件版本,就是PHP5.2+Apache2.0(2008年的技术)。尤其从去年开始,随着AMS业务随着QQ会员增值业务的快速增长,性能压力日益变大。

于是,自2015年5月,我们就开始规划PHP底层升级,最终的目标是升级到PHP7。那时,PHP7尚处于研发阶段,而我们讨论和预研就已经开始了。 继续阅读