#获取网卡模式状态
ipmitool raw 0x30 0x70 0x0c 0.
#设置独立网卡模式
ipmitool raw 0x30 0x70 0x0c 1 0.
#设置公网IP共享模式
ipmitool raw 0x30 0x70 0x0c 1 1.
#设置成failover模式
ipmitool raw 0x30 0x70 0x0c 1 2.windows版本ipmitool https://kvm.la/ipmitool-for-windows.html
官方使用的docker部署, 这里折腾了下改为系统直接安装了
安装好后丢caddy或者nginx反向代理一下就好了, 我这直接用cloudflare的隧道进行代理了.
mkdir /home/coterm/public -p
cd /home/coterm/public
git clone https://github.com/novnc/noVNC
cd /tmp
git clone "https://github.com/ConvoyPanel/coterm.git"
cd coterm
npm install
npm run build
cp -rf ./build/* /home/coterm/public/
#编译coterm主程序
cd ./src-rust
cargo run
cargo build --release
install target/release/coterm /home/coterm/
cat>/home/coterm/.env<<EOF
CONVOY_URL=https://XXX.XXXX. XX #面板地址
COTERM_TOKEN="XXXXX"
BACKEND_PORT=2600
DANGEROUS_DISABLE_TLS_VERIFICATION=false
RUST_BACKTRACE="full"
EOFcat>/etc/systemd/system/coterm.service<<EOF
[Unit]
Description=Coterm Service
After=network.target nss-lookup.target
[Service]
Type = simple
EnvironmentFile=/home/coterm/.env
ExecStart=/home/coterm/coterm
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
这里没有采用官方的docker安装方式, 直接源码进行安装
yum install redis git epel-*
SETPATH=/home/pve/ #设置安装目录
mkdir -p $SETPATH
cd $SETPATH
# 将php artisan horizon:work加入系统服务运行
cat>/etc/systemd/system/pve.service<<EOF
[Unit]
Description=Convoy Service
After=network.target nss-lookup.target
[Service]
Type = simple
ExecStart=/usr/bin/php $SETPATH/artisan horizon:work
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
wget https://github.com/convoypanel/panel/releases/latest/download/panel.tar.gz -O - | tar xz
chmod -R o+w storage/* bootstrap/cache/
composer install --no-dev --optimize-autoloadercp .env.example .env
vim .env这里主要是设置数据库和redis
php artisan key:generate --force #生成加盐
php artisan optimize
php artisan migrate --force #导入数据库
php artisan c:user:make #生成账户
systemctl enable pve --now其他的php和web设置就不复述了, 官方文档主少提了要守护进程运行php artisan horizon:work所以写这篇文章记录一下.
登录PVE宿主节点运行
wget https://github.com/convoypanel/broker/releases/latest/download/broker.tar.gz -O - | tar xz -C /
yum -y install squid
mkdir -p /home/squid/logs /home/squid/coredump_dir /home/squid/cache_dir
chown squid.squid -R /home/squid/
systemctl enable squidsquid.conf配置内容
cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed 允许访问IP(只允许这个ip做代理请求)
acl allowip src 14.29.10.100
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# set out - ip 配置出口IP
acl ip118 myip 14.29.10.118
acl ip119 myip 14.29.10.119
acl ip120 myip 14.29.10.120
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow allowip
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
# 设置代理端口
http_port 3228
#set out-ip 多公网IP关键配置;下面的配置是指
#若使用代理IP14.29.10.118则走ip118的ip(14.29.10.118);
#若使用代理IP14.29.10.119则走ip119的ip(14.29.10.119);
#若使用代理IP14.29.10.120则走ip120的ip(14.29.10.120)
tcp_outgoing_address 14.29.10.118 ip118
tcp_outgoing_address 14.29.10.119 ip119
tcp_outgoing_address 14.29.10.120 ip120
# Squid set log path etc.
dns_nameservers 8.8.8.8
visible_hostname aliserver
#透明代理关键配置
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
cache_mem 100 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /home/squid/cache_dir 100 16 256
cache_access_log /home/squid/logs/access.log
cache_log /home/squid/logs/cache.log
cache_store_log /home/squid/logs/store.log
coredump_dir /home/squid/coredump_dir
pid_filename /home/squid/squid.pid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320验证代理
export https_proxy=http://127.0.0.1:3228 http_proxy=http://127.0.0.1:3228
curl icanhazip.com
curl curlmyip.com
curl ip.appspot.com
curl ipinfo.io/ip
curl ipecho.net/plain
curl www.trackip.net/i
#补充
curl ip.sb
curl ip.6655.com/ip.aspx
curl whatismyip.akamai.com
wget -qO - ifconfig.co
dig +short myip.opendns.com @resolver1.opendns.com
curl ident.me
curl v4.ident.me
curl v6.ident.me
curl inet-ip.info
#返回IP和地区
curl ip.6655.com/ip.aspx?area=1
curl 1111.ip138.com/ic.asp
curl ip.cn
curl cip.ccstelnet 192.168.99.1 22 #登录其他设备ssh
display logbuffer #查看缓冲日志
display fib slot 3 #查看板卡FIB
display memory #查看内存
display ip routing-table vpn-instance vrf1 #查看vrf路由表
display ip routing-table #查看默认路由表
disply bgp peer #查看bgp peer
display bgp routing-table 1.0.0.0 #查看1.0.0.0 的路由信息
display bgp routing-table community #查看路由表的community
display bgp routing-table regular-expression 174 #正则匹配as的路由表
display bgp routing-table regular-expression ^174_ #正则匹配as174开头的路由表
display bgp routing-table regular-expression _174$ #正则匹配as174结尾的路由表
display bgp routing-table regular-expression _(4808|4837|9929|10099) #正则匹配联通as的路由表
display bgp routing-table regular-expression _(4134|4809_4134) #正则匹配电信as的路由表
display bgp routing-table peer X.X.X.X accepted-routes #查看bgp邻居收到的路由表
display bgp routing-table peer X.X.X.X advertised-routes #查看bgp邻居发出的路由表
display bgp ipv6 routing-table #查看路由表
display bgp ipv6 peer #查看ipv6 bgp session
display bgp ipv6 routing-table peer XX:XX:XX advertised-routes #查看IPv6 bgp邻居发出的路由表
display interface brief #查看端口状态
display interface GigabitEthernet0/3/0 #查看端口信息,例如spf光信号等
#设置vrf
#
ip vpn-instance vrf1
ipv4-family
route-distinguisher 999:2
apply-label per-route
ip direct-routing-table route-policy HE-IN
vpn-target 999:2 export-extcommunity
vpn-target 999:2 import-extcommunity
#
bgp 999
ipv4-family vpn-instance Local_SG
import-route direct
import-route static
import-route ospf 100
active-route-advertise
ext-community-change enable
import-rib public route-policy HE-IN
peer X.X.X.X as-number 888
peer X.X.X.X timer keepalive 10 hold 180
peer X.X.X.X password simple PASSWORD
peer X.X.X.X route-policy IX-IN import
peer X.X.X.Xroute-policy IX-ipv4-out export
#
ip route-static vpn-instance vrf1 <目的网络> <目的子网掩码> <下一跳地址> #设置ip段vrf出口
有时候跑一个长期运行的命令, 或者突然掉线重新连接后进程还在需要把进程调出来继续执行,
或者是将现有的进程丢进screen里面继续后台运行.
这时候reptyr就派上用场了
yum install reptyr -y
reptyr 进程PID
现在用snap商店安装软件越来越频繁了, 而且众多linux发行版都支持了.
sudo yum install snapd
sudo systemctl enable --now snapd.socket
sudo systemctl start snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
export PATH="$PATH:/snap/bin"
echo 'export PATH="$PATH:/snap/bin"' >> $HOME/.bashrc安装一个 flutter压压惊
sudo yum install epel-release -y
sudo yum install clang cmake ninja-build pkgconfig gtk3-devel xz-devel gtk3-devel -y
snap install flutter --classic
yum install epel-release -y
yum install doxygen -y
git clone https://github.com/BYVoid/OpenCC.git
cd OpenCC
make
sudo make install
git clone https://github.com/nauxliu/opencc4php
cd opencc4php
phpize
./configure
make && sudo make install
echo extension=opencc.so >> /opt/php7/etc/php.d/1-opencc.ini
composer载入php-opencc
composer require overtrue/php-opencc -vvv
swapoff /dev/vda2;
mkswap /dev/vda2;
swapon /dev/vda2;
resize2fs /dev/vda1;
yum -y update;systemctl disable guestfs-firstboot;
rebootp1. kvm运行Centos9/almalinux-9 出现kernel panic , 改qemu的cpu模式为 host-model 解决 (前两年其实就踩过了没记录给忘记了)
2.系统模版封装
下载转换qcow2为raw
qemu-img convert centos9-stream.qcow2 centos9-stream.raw
#挂载修改文件
kpartx -av centos9-stream.raw
mount /dev/mapper/loop0p2 /mnt
umount /mnt
#### 咔咔咔一顿更改设置
#这里直接先安装一个现有的操作系统, 然后dd写入分区文件,(主要是懒不想去自己封装系统,拿现成的)
kpartx /dev/mapper/vg0-kvmXXXX_img
dd_rescue /dev/mapper/loop0p2 /dev/mapper/vg0-kvmXXXX_img1
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
grub2-install /dev/sdXXXXX #重写引导信息
exit
rm -r /mnt/root/.bash_history #删除操作记录
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount /mnt/
kpartx -dv /dev/mapper/vg0-kvmXXXX_img
/scripts/kvmtemplate --generation=2 --mode=package --vmid=kvmXXXX #重新打包模版
cloudinit 转solusvm 模版偷梁换柱完事
solusvm官方没更新模版了, 这次给遗留的机器加上最新系统的模版
由于给files.gallery开了全部权限, 防止文件泄露针对location /进行了限制访问.
server {
server_name gallery.XX.net;
index index.php;
root /home/gallery/web;
location =/ {}
location / { deny all;}
location /.well-known/acme-challenge/ { return 200; }
location ~ \.php(?:$|/) {
try_files $uri = 404;
fastcgi_pass unix:/dev/shm/php8-fpm.sock;
}
}设定ssl证书
dnf install epel-release -y
dnf install certbot python3-certbot-nginx -y
certbot --nginx -d XXX.net --agree-tos -m [email protected]
echo "0 3 * * 6 /usr/bin/certbot renew --quiet"> /etc/cron.d/certbot主要两个地方注意一下, cloudflare会传送一个CF-Connecting-IP的header参数为访客的真实ip,所以 read_ip读取它.
然后设定REMOTE_ADDR读取IP, 可以从FORWARDED也可以用CF-Connecting-IP参数
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;
proxy_set_header REMOTE_ADDR $HTTP_X_FORWARDED_FOR;yum install snmp -y
cat>/etc/snmp/snmpd.conf<<EOF
sysLocation Sitting on the Dock of the Bay
sysContact Me <[email protected]>
sysServices 72
master agentx
view systemview included .1.3.6.1.2.1
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
view systemview included .1.3.6.1.2.1.2.2.1.1
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
view systemview included .1.3.6.1.2.1.2.2.1
rocommunity public1611 default
rocommunity6 public1611 default -V systemonly
createUser snmpname SHA "123pwd" AES "123pwd"
rouser snmpname
usmSecurityLevel authPriv
usmUser snmpname - SHA "123pwd" AES "123pwd"
com2sec readonly default public1611
group MyROGroup v2c readonly
view all included .1 80
access MyROGroup "" any noauth exact all none none
rocommunity public1611
agentaddress udp:127.0.0.1:16100
EOF
Import Color Scheme into iTerm2:
iTerm2 -> Preferences -> Profiles.Colors tab, you will see a Color Presets dropdown. Open it.Import...https://raw.githubusercontent.com/mbadolato/iTerm2-Color-Schemes/master/schemes/Solarized%20Dark%20Higher%20Contrast.itermcolorswget $(curl -s https://api.github.com/repos/ehang-io/nps/releases/latest | grep -oP '"browser_download_url": "\Khttps://[^"]+')把ehang-io/nps换成你要的github ID和项目地址.
