CentOS 7 Configure DNS Server

今天介绍下如何在CentOS 7下部署DNS Server,测试环境中服务端搭建在了CentOS 7,客户端分别在Windows和Linux实现测试。

因为目的是让自建DNS服务器解析公司内部的自定义域名,所以当客户端需要访问外网域名时,DNS服务器会将解析请求转发给ISP的DNS服务器,并会将解析结果缓存,并且只对内网主机的解析请求进行转发,而不会对公网的主机解析请求进行转发。

DNS服务介绍

DNS服务由BIND提供,启动后服务名为named,管理工具为rndc,debug工具为dig,主要配置文件在/etc/named.conf

安装

推荐选择bind-chroot来安装,提高服务的安全性:

1
➜  ~ yum install -y bind-chroot

安装完成之后,启动named-chroot服务,并设置为开机自启动:

1
2
3
4
5
6
➜  ~ systemctl enable named-chroot.service
Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.
➜ ~ systemctl start named-chroot.service
➜ ~ netstat -ntlp | grep 53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4515/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 4515/named

配置

首先备份DNS服务端的主配置文件,然后修改其中的内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
➜  ~ cp /etc/named.conf /etc/named.conf.bak
➜ ~ vim /etc/named.conf

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { 192.168.16.0/24; 192.168.0.0/23; };
recursion yes;
allow-recursion { 192.168.16.0/24; 192.168.0.0/23; };

forward first;
forwarders { 202.96.209.133; 114.114.114.114; };

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;

bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

// 新增一个samzong.local域名.
zone "samzong.local" IN {
type master;
file "samzong.local.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

编辑samzong.local.zone配置文件

首先创建samzong.local.zone文件:

1
2
➜  ~ cd /var/named
named touch samzong.local.zone;

然后编辑文件内容新增:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$TTL 86400
@ IN SOA @ root.samzong.local. (
2016042112 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
43200 ;Minimum TTL
)

NS @
A 10.0.2.6
www A 192.168.16.100
a IN CNAME www.baidu.com.
b A 192.168.16.101

编辑完成之后,重新启动named-chroot让服务生效:

1
➜  named systemctl restart named-chroot.service

客户端验证

1
2
3
4
5
6
➜  named nslookup www.samzong.local
Server: 192.168.16.6
Address: 192.168.16.6#53

Name: www.samzong.local
Address: 192.168.16.100

使用rndc管理DNS解析记录

rndc 常用指令:

1
2
3
4
5
6
7
status          显示bind服务器的工作状态
reload 重新加载配置文件和区域文件
reload zone 重新加载指定的zone
reconfig 重新读取配制间并加载新增的zone
querylog 关闭或开启查询日志
dumpdb 将高速缓存转存到文件,named.conf 有指定文件位置
freeze 暂停更新所有zone状态

CentOS增加新硬盘给根文件系统扩容

由于刚开始做磁盘空间规划时,失误给根分区分配磁盘较小,导致后续实验环境无法进行,所以在经过研究后,决定尝试增加根分区的磁盘空间,注意这仅适用于创建在LVM上的文件系统。

实验环境

  • Parallels Desktop 12
  • CentOS 6.9
  • 根分区空间 6.5GB
  • 已使用 5.8GB
  • 预计 增加12G 磁盘空间

HowTo install Zoomdata

Zoomdata是一个大数据可视化展示的工具,由ZoomData企业创建,是为数不多的同时支持移动端的数据分析公司,Zoomdata的可视化可将大数据流转化为触屏友好的,艺术感十足的三维形态,Zoomdata的定位是非ETL(传统的提取、转换和加载的数据处理过程)工具,Zoomdata支持多种数据源,包括社交媒体等,其中应用最主流是大数据平台的展示工具,并且Zoomdata对Cloudera Impala做了很好的支持,所以我们做了Zoomdata+Cloudera技术实施。^1

系统要求

Zoomdata最新版是v2.4,支持常见主流的操作系统,并且有非常友好的安装帮助,但是Zoomdata不支持安装在32位的操作系统之上


|biaoti|biaoti|baiiti|
|——|——|——|
|list|file|china|
|letian|zhong|hongkong|


HowTo Install NextCloud

随着最近一个云盘厂家不再提供个人服务,或者开始各种收费限速,自己存放在第三方云盘厂商的数据被盗取,数据的安全性和数据的稳定性都得不到保证,而且随着智能终端的普及,我也有一些更加高质量的图片文件需要大量储存,所以我想到了自建存储服务的方式,在甄别了OwnCloud,Seafiles和NextCloud,最后选择了NextCloud作为自己今后数据存储节点,NextCloud源自OwnCloud,但是近些年来OwnCloud的发展进度几乎停滞,多数开发者也转战NextCloud,当然NextCloud也继承了搭建简单,依赖于PHP环境的特性。

运行环境

  • 阿里云ECS CentOS 6.x
  • 免费SSL证书(腾讯云申请)

搭建LNMP环境

软件版本
基础环境安装
1
2
3
4
5
6
7
8
9
10
11
12
[root@ultraera ~]# yum update -y
[root@ultraera ~]# yum groupinstall -y "Base"
[root@ultraera ~]# yum groupinstall -y "Development tools"

# Install epel
[root@ultraera ~]# yum install -y epel-release

# Install remi
[root@ultraera ~]# yum install http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

# Install mysql-community
[root@ultraera ~]# yum install http://repo.mysql.com/yum/mysql-5.6-community/el/6/x86_64/mysql-community-release-el6-7.noarch.rpm
Install LNMP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Install MySQL
[root@ultraera ~]# yum --enablerepo=mysql-community install -y mysql-server mysql-libs mysql-devel
[root@ultraera ~]# service mysqld start
[root@ultraera ~]# mysql_secure_installation
[root@ultraera ~]# chkconfig mysqld on

# Install Nginx
[root@ultraera ~]# yum --enablerepo=epel install -y nginx
[root@ultraera ~]# service nginx start
[root@ultraera ~]# chkconfig nginx on

# Install PHP and php-fpm
[root@ultraera ~]# yum --enablerepo=remi-php56 install php php-fpm php-mysql php-gd php-xml php-redis php-libs php-devel php-zlib
[root@ultraera ~]# service php-fpm start
[root@ultraera ~]# chkconfig php-fpm on
[root@ultraera ~]# service nginx restart
下载NextCloud
1
2
3
[root@ultraera ~]# wget https://download.nextcloud.com/server/releases/nextcloud-11.0.1.tar.bz2
[root@ultraera ~]# tar xf nextcloud-11.0.1.tar.bz2
[root@ultraera ~]# mv nextcloud-11.0.1 /opt/nextcloud
配置Nginx和php-fpm

因为php-fpm默认运行的用户身份是apache,我们这里使用的环境是nginx,所有要修改php-fpm配置文件的用户和组,注意不要为了省事直接改为root,这在php-fpm中是不允许的

1
2
3
4
[root@ultraera ~]# vim /etc/php-fpm.d/www.conf
user=nginx
group=nginx
[root@ultraera ~]# service php-fpm restart

因为NextCloud默认是以Apache的身份运行的,所以我们需要单独配置NextCloud的Nginx配置文件,以下配置文件,你可以直接拿去用,注意在文件中说明了,需要修改的地方:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
[root@ultraera ~]# vim /etc/nginx/conf.d/nextcloud.conf
upstream php-handler {
# 这里是你php-fpm的服务端口,默认是9000
server 127.0.0.1:9000;
#server unix:/var/run/php5-fpm.sock;
}

server {
# 你的域名
listen pan.ultraera.org:80;
server_name pan.ultraera.org;
# enforce https
return 301 https://$server_name$request_uri;
}

server {
# 你的域名
listen pan.ultraera.org:443 ssl;
server_name pan.ultraera.org;

# 以下是你的ssl证书文件存放路径
ssl_certificate /etc/nginx/ssl/1_pan.ultraera.org_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2_pan.ultraera.org.key;

# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; ";

# 设定你的NextCloud的根目录,请根据实际修改
root /opt/nextcloud/;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
rewrite ^ /index.php$uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}

location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
[root@ultraera ~]# service nginx restart
文件权限调整

因为NextCloud运行是以nginx程序,注意修改目录所属用户和组为nginx

1
[root@ultraera ~]# chown -R nginx:nginx /opt/nextcloud
创建MySQL数据库
1
2
3
mysql> CREATE DATABASE nextcloud CHARACTER SET UTF-8;
mysql> GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost' IDENTIFIED BY 'your_password';
mysql> FLUSH PRIVILEGES;

初始化NextCloud

在浏览器打开你在nginx中配置的域名,NextCloud初始化非常简单,设定一个管理员账户和密码,然后设定数据库即可,按照我们上一步针对MySQL的设定,你会非常清楚地知道你的数据库信息:

登录之后的界面是这样:

你可以在登录之后,在你的右上角点击头像选择Admin进入管理界面查看和修改你的服务器设置,你还可以在浏览器上方看到你的服务器现有哪些问题,会有对应文档提醒你如何解决这些问题。

Other

修改默认data目录

在我们首次打开NextCloud网页时,需要我们设定datadir目录,这里有个默认目录在nextcloud项目包,这其实是不安全的,我们最后将目录路径修改为其他位置:

1
2
3
4
5
6
[root@ultraera ~]# mkdir /nextcloud_files/
[root@ultraera ~]# chown -R nginx:nginx /nextcloud_files/

# 修改datadirectory的路径
[root@ultraera ~]# vim /opt/nextcloud/config/config.php
datadirectory' => '/nextcloud/data
无法登陆到个人用户界面

我在安装时碰到这个问题,折腾了很久才解决,因为我们是使用nginx程序,但是php-fpm默认用户身份为apache,所以/var/lib/php/session目录的所属用户和组都是apache,导致我们没有权限去写入session,所以无法登入系统,报错信息可以在NextCloud的log文件下看到:

1
2
3
4
5
[root@ultraera ~]# tail -n 1 /usr/nextcloud/data/nextcloud.log
{"reqId":"NNnIwMCCPDMQtzZW5Ndc","remoteAddr":"180.166.66.226","app":"PHP","message":"session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (\/var\/lib\/php\/session) at \/usr\/nextcloud\/lib\/private\/Session\/Internal.php#104","level":3,"time":"2017-02-24T10:46:13+00:00","method":"POST","url":"\/index.php","user":"samzong","version":"11.0.0.10"}

# 修改/var/lib/php/的属组为nginx即可
[root@ultraera ~]# chgrp -R nginx /var/lib/php
增加redis组件,提高性能

关于如何安装redis我在之前的文章中也有讲到,大家可以去看下 安装教程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@ultraera ~]# yum --enablerepo=remi install -y redis

# 增加php的redis插件
[root@ultraera ~]# yum --enablerepo=remi-php56 install php-redis

# 配置文件增加redis
'memcache.local' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => 'localhost',
'port' => 6379,
)

# 重启令服务生效
[root@ultraera ~]# service php-fpm restart
[root@ultraera ~]# service nginx restart

我的NextCloud配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
$CONFIG = array (
'memcache.local' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => 'localhost',
'port' => 6379,
),
'enable_previews' => false,
'instanceid' => 'ockhup01dxbf',
'passwordsalt' => 'TlJgWGrE0N7vOrRfZkOojwdYh/BixL',
'secret' => '/IQh0LioZp5eYFQJhicY7n324Q80WQUYOzWL+8OcxcXVw3Ef',
'trusted_domains' =>
array (
0 => 'pan.ultraera.org',
),
'datadirectory' => '/nextcloud',
'overwrite.cli.url' => 'https://pan.ultraera.org',
'dbtype' => 'mysql',
'version' => '11.0.0.10',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud',
'dbpassword' => 'nextcloud',
'logtimezone' => 'CST',
'installed' => true,
'mail_from_address' => 'luchuanjia',
'mail_smtpmode' => 'php',
'mail_domain' => 'msn.com',
);
SSL证书

现国内提供免费的SSL证书的服务商很多,作为个人站点,免费SSL证书是个挺不错的选择,我在之前nginx配置时将ssl的配置方式写在了配置文件中了,注意如果不启用ssl时,不要启用https的虚拟主机,当然你可以自己生成一个ssl证书来提供服务,但这样在别人访问你的网站时,会不提示不受信任的证书,具体如何获取的证书的方式,因各个厂家方式有些区别,这里就不赘述,可以联系对应的厂商的技术人员咨询。

使用现状

在将服务搭建完成之后,对于存储的文件加密,现在通过jobs,每日凌晨将文件推送到oss内,保存2天的数据,避免因为服务器宕机导致文件丢失;使用端,自己的电脑和手机,还有家人的手机,都安装了应用,后台自动将拍照图片等自动上传到云盘,使用起来目前很稳定,只是iOS应用是收费的,因为NextCloud源于OwnCloud,如果你之前购买了OwnCloud的App也可以直接使用,当然NextCloud也有很多其他功能,可以根据你的实际需求发掘。

HowTo Install Redmine

Runtime environment

  • CentOS 6.x
  • Redmine 3.3.2
  • Ruby 2.2.6
  • rails 4.2
  • MySQL 5.1
  • Nginx 1.10

安装rvm

导入公钥
1
[root@localhost ~]# curl -sSL https://rvm.io/mpapis.asc | gpg --import
安装
1
[root@localhost ~]# curl -L https://get.rvm.io | bash -s stable
加载rvm环境并安装基础依赖包
1
2
[root@localhost ~]# source /etc/profile.d/rvm.sh
[root@localhost ~]# rvm requirements

安装ruby

1
2
3
[root@localhost ~]# rvm install 2.2.6
...
[root@localhost ~]# rvm use 2.2.6 --default

安装rails

更换gem源

默认gem的源站点是https://rubygems.org 由于国内的网络原因导致无法连接,所以导致无法使用gem安装,这里换成国内淘宝的gem镜像站点

1
2
3
4
5
6
7
8
9
10
[root@localhost ~]# gem sources -l
*** CURRENT SOURCES ***

https://rubygems.org/
[root@localhost ~]# gem sources --remove https://rubygems.org/
[root@localhost ~]# gem sources -a https://ruby.taobao.org/
[root@localhost ~]# gem sources -l
*** CURRENT SOURCES ***

https://ruby.taobao.org/
安装
1
[root@localhost ~]# gem install rails -v=4.2

安装MySQL

1
2
3
[root@localhost ~]# yum install -y mysql-server mysql-libs mysql-devel mysql
[root@localhost ~]# service mysqld start
[root@localhost ~]# mysql_secure_installation

安装redmine

下载Redmine 3.3.2
1
2
3
[root@localhost ~]# wget http://www.redmine.org/releases/redmine-3.3.2.tar.gz
[root@localhost ~]# tar xf redmine-3.3.2.tar.gz
[root@localhost ~]# mv redmine-3.3.2 /opt
安装管理ruby的包管理工具bundler
1
2
3
# 注意,一定要在redmine目录下操作
[root@localhost ~]# cd /opt/redmine-3.3.2
[root@localhost redmine-3.3.2]# gem install bundler
安装redmine运行所需要的依赖包
1
[root@localhost redmine-3.3.2]# bundle install --without development test rmagick
为rails生产cookies秘钥
1
[root@localhost redmine-3.3.2]# rake generate_secret_token
创建redmine的数据库
1
2
mysql> create database redmine character set utf8;
mysql> grant all privileges on redmine.* to 'redmine'@'localhost' identified by 'redmine_pass';
修改redmine的database.yml
1
2
3
4
5
6
7
8
9
[root@localhost redmine-3.3.2]# cp config/database.yml.example config/database.yml
[root@localhost redmine-3.3.2]# vim config/database.yml
production:
adapter: mysql2
database: redmine
host: localhost
username: redmine
password: "redmine_pass"
encoding: utf8
创建数据库结构
1
[root@localhost redmine-3.3.2]# RAILS_ENV=production bundle exec rake db:migrate
生产缺省数据
1
2
[root@localhost redmine-3.3.2]# RAILS_ENV=production bundle exec rake redmine:load_default_data
# 选择默认语言,之后可更改,初始为en
测试是否安装成功
1
[root@localhost redmine-3.3.2]# bundle exec rails server webrick -e production -b 0.0.0.0

默认运行3000端口,默认管理员admin/admin

配置Redmine在Nginx上运行

Redmine常用的解决办法是使用passenger+nginx,但是Nginx不支持装载模块,所以需要重新编译安装Nginx,安装Nginx的Passenger有两种方式

  • 采用Passenger提供的脚本进行安装,适合新环境
  • 手动编译安装Nginx增加Passenger模块,适合已存在Nginx环境
采用Passenger提供脚本安装
1
2
[root@localhost redmine-3.3.2]# gem install passenger
[root@localhost redmine-3.3.2]# passenger-install-nginx-module --auto --prefix=/opt/nginx
采用重新编译Nginx增加Passenger模块
1
2
3
4
5
6
7
8
9
# 获取passenger的安装路径
[root@localhost ~]# passenger-config --root
/usr/local/rvm/gems/ruby-2.2.6/gems/passenger-5.1.2

# 重新编译Nginx并添加模块
[root@localhost ~]# wget http://nginx.org/download/nginx-1.10.3.tar.gz
[root@localhost ~]# tar xf nginx-1.10.3.tar.gz
[root@localhost ~]# cd nginx-1.10.3
[root@localhost nginx-1.10.3]# ./configure ... -add-module=/usr/local/rvm/gems/ruby-2.2.6/gems/passenger-5.1.2
增加HTTP模块内以下配置
1
passenger_root /usr/local/rvm/gems/ruby-2.2.6/gems/passenger-5.1.2
配置nginx.conf 修改server模块中location的配置
1
2
3
4
5
6
7
8
9
10
# ...
server {
# ...
passenger_enabled on;
location / {
root /opt/redmine-3.3.2/public;
index index.html index.htm;
}
}
# ...
启动Nginx
1
[root@localhost ~]# /root/nginx-1.10.3/sbin/nginx -c /root/nginx-1.10.3/conf/nginx.conf

其他

到这里,所有的安装都完成了,过程中我遇到这些问题,你也注意下:

7.1 Could not find gem ‘mysql2 (~> 0.3.11)’ in any of the gem sources listed in your Gemfile.
1
2
[root@localhost redmine-3.3.2]# rm -f Gemfile.lock
[root@localhost redmine-3.3.2]# bundle install
7.2 curl-tools
1
yum install libcurl-devel

HowTo Automatic Updates CENTOS/RHEL Using YUM

大家若工作遇到需要管理的Linux集群机器较多时,同时我们知道系统的安全更新补丁维护这些非常重要,无论你在安装时优化维护做的再好,随着时间的推移,如果不去更新的话,系统早晚都会不安全,所以定期更新我们的系统补丁是一个运维人员的基本工作内容

Install yum-cron

1
sudo yum install -y yum-cron

因为我的服务器系统多为CentOS 6,6的配置文件在/etc/sysconfig/yum-cron,你可以用以下命令查看配置文件位置:

1
2
3
4
5
6
7
8
9
rpm -ql yum-cron
/etc/cron.daily/0yum.cron
/etc/rc.d/init.d/yum-cron
/etc/sysconfig/yum-cron
/etc/yum/yum-daily.yum
/etc/yum/yum-weekly.yum
/usr/share/doc/yum-cron-3.2.29
/usr/share/doc/yum-cron-3.2.29/COPYING
/usr/share/man/man8/yum-cron.8.gz

Configure “/etc/sysconfig/yum-cron”

yum-cron的默认设置是会在每天自动检查和安装系统更新包,在安装完成后有些配置需要注意下:

1. 对于不需要更新的可以忽略掉
1
YUM_PARAMETER="--exclude='kernel*' --exclude='php*'"
2. 设置管理员邮箱
1
MAILTO="luchuanjia@msn.com"
3. 不自动安装,仅检查,通知管理邮箱
1
CHECK_ONLY=yes
4. 不自动安装,仅下载
1
DOWNLOAD_ONLY=yes

Automatic Starting yum-cron

1
chkconfig yum-cron on

HowTo Install LNMP on CentOS 6.x

egrep -v “^ #|^ $” 去除所有以#号开头的文件

Demo system

1
2
3
4
5
[Alex@Test01 ~]$ uname -a
Linux Test01 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[Alex@Test01 ~]$ ip addr | grep eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 10.0.2.128/24 brd 10.0.2.255 scope global eth0

Install httpd

1
2
3
4
5
6
7
8
9
[Alex@Test01 yum.repos.d]$ sudo yum install -y httpd
[Alex@Test01 ~]$ rpm -qa | grep httpd
httpd-2.2.15-39.el6.centos.x86_64
httpd-tools-2.2.15-39.el6.centos.x86_64

# remove welcome page
[Alex@Test01 yum.repos.d]$ sudo rm -f /etc/httpd/conf.d/welcome.conf
# remove default error page
[Alex@Test01 yum.repos.d]$ sudo rm -f /var/www/error/noindex.html

Configure httpd . Replace the server name to you own one.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[Alex@Test01 ~]# sudo vi /etc/httpd/conf/httpd.conf
# line 44: change
ServerTokens Prod
# line 76: change to ON
KeepAlive On
# line 262: Admin's address
ServerAdmin luchuanjia@msn.com
# line 338: change
AllowOverride All
# line 276: change to your server's name
ServerName www.ultraera.org:80
# line 402: add file name that it can access only with directory's name
DirectoryIndex index.html index.htm
# line 536: change
ServerSignature Off
# line 759: comment out
# AddDefaultCharset UTF-8
[Alex@Test01 ~]# sudo /etc/init.d/httpd start
Starting httpd:[ OK ]
[Alex@Test01 ~]# sudo chkconfig httpd on # set httpd start with system.

create a HTML test page

1
2
[Alex@Test01 ~]# sudo vi /var/www/html/index.html
it's ok.

Install PHP.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[Alex@Test01 ~]$ sudo yum install -y php php-mbstring php-pear
[Alex@Test01 ~]$ rpm -qa | grep php
php-common-5.3.3-46.el6_6.x86_64
php-5.3.3-46.el6_6.x86_64
php-mbstring-5.3.3-46.el6_6.x86_64
php-cli-5.3.3-46.el6_6.x86_64
php-pear-1.9.4-4.el6.noarch

[Alex@Test01 ~]$ sudo vi /etc/httpd/conf/httpd.conf
# line 402 add file name that it can access only with directory's name
DirectoryIndex index.html index.htm index.php
[Alex@Test01 ~]$ sudo vi /etc/php.ini
# line 946 set your timezone
date.timezone = "Asia/Shanghai"
[Alex@Test01 ~]$ sudo /etc/init.d/httpd restart
Stopping httpd:[ OK ]
Starting httpd:[ OK ]

create a php test page.

1
2
3
4
5
[Alex@Test01 ~]# sudo vi /var/www/html/index.php

<?php
phpinfo();
?>

Install MySQL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[Alex@Test01 ~]$ sudo -y install mysql-server
[Alex@Test01 ~]$ rpm -qa | grep mysql-server
mysql-server-5.1.73-5.el6_6.x86_64

[Alex@Test01 ~]$ sudo vi /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# add
character-set-server=utf8

[Alex@Test01 ~]$ sudo /etc/rc.d/init.d/mysqld start

Initializing MySQL database: WARNING: The host 'www.ultraera.org' could not be looked up with resolveip.
This probably means that your libc libraries are not 100 % compatible
with this binary MySQL version. The MySQL daemon, mysqld, should work
normally with the exception that host name resolving will not work.
This means that you should use IP addresses instead of hostnames
when specifying MySQL privileges !
Installing MySQL system tables...
OK
Filling help tables...
OK
...
...
...
You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
[Alex@Test01 ~]$ sudo chkconfig mysqld on

Initial settings for MySQL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
[root@www ~]#mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

# Enter
Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

# set root password
Set root password? [Y/n]y
New password: # input any password
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

# remove anonymous users
Remove anonymous users? [Y/n]y

... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

# disallow root login remotely
Disallow root login remotely? [Y/n]y

... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

# remove test database
Remove test database and access to it? [Y/n]y

- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

# reload privilege tables
Reload privilege tables now? [Y/n]y

... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

# try to connect with root
[root@www ~]#mysql -u root -p
Enter password:# MySQL root password
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# display user list
mysql>select user,host,password from mysql.user;
+------+-----------+-------------------------------------------+
| user | host | password |
+------+-----------+-------------------------------------------+
| root | localhost | ***************************************** |
| root | 127.0.0.1 | ***************************************** |
+------+-----------+-------------------------------------------+
2 rows in set (0.00 sec)

# display database list
mysql>show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
+--------------------+
2 rows in set (0.00 sec)
mysql>exit
Bye
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×