通用前置步骤(所有节点)
Matlab
bash
# 设置主机名(以实际节点为准,例如 linux1)
hostnamectl set-hostname linuxX.skills.lan
# 配置静态 IP(以 linux1 为例,其他节点改地址即可)
nmcli con mod ens160 ipv4.method manual ipv4.addresses 10.4.1.101/24 ipv4.gateway 10.4.1.1 ipv4.dns "127.0.0.1" autoconnect yes
nmcli con mod 'System eth0' ipv4.dns "10.4.1.101 10.4.1.102" # linux3 的 DNS 自己指向 两个DNS服务器,按需修改
nmcli con up 'System eth0' //使用本地网卡
注意:System eth0 是连接名称,请用 nmcli con show 查看实际名称替换。# 关闭 SELinux(若需要,根据 txt 未特别要求,但建议按需)
Matlab
setenforce 0
systemctl stop firewalld
systemctl disable firewalld
systemctl start firewalld
systemctl enable firewalld# 禁用防火墙或按服务放行(txt 中 firewalld 都是 enabled,但实际未阻断必要端口)
# 为简化,我们放行所有服务端口,或直接 disable firewalld(按测试环境)
systemctl disable --now firewalld # 或者根据服务配置 rich rule,这里为了快速实现配置,直接关掉
# 生成 SSH 密钥并分发(需手动输入 yes 和密码,或预先配置免密)
Matlab
ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
for i in 1 2 3; do
ssh-copy-id 10.4.1.10$i
done
systemctl restart sshd节点 linux1.skills.lan (10.4.1.101) --- DNS, CA, HTTP, Ansible
bash
dnf install -y bind chrony httpd mod_ssl ansible-core2. 配置 Chrony(允许其他节点访问)
bash
dnf install chrony -y
Linux1
systemctl enable --now chronyd
vim /etc/chrony.conf
server 10.4.1.101 iburst
allow 10.4.1.0/24
local stratum 10
systemctl restart chronyd
其他:
systemctl enable --now chronyd
vim /etc/chrony.conf
pool 10.4.1.101 iburst
#复制一份客户端配置文件
cp -p /etc/chrony.conf /
测试
1: chronyc clients | grep skills
chronyc sources -v
systemctl restart chronyd
systemctl enable chronyd- 检查 NTP 服务端是否正常工作时,不仅要看进程状态,更要确认端口监听(使用 ss -uln 或 netstat -ulnp)。
- 客户端同步失败但服务端 ping 通时,应使用 nc -vzu 测试 UDP 端口连通性,若收到 Connection refused 则说明服务端未监听。
- 简单的重启服务(systemctl restart chronyd)往往能解决服务未正确初始化的问题。
3. 配置 DNS 服务 (BIND)
Matlab
Linux1\linux2
dnf install -y bind bind-utils
bash
# 主配置文件 /etc/named.conf
Vim /etc/named.conf << 'EOF'
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
};
vi /etc/named.conf //末尾加
zone "skills.lan" IN {
type master;
file "named.skills";
allow-update { none; };
};
zone "1.4.10.in-addr.arpa" IN {
type master;
file "named.10";
allow-update { none; };
};
# 正向区域文件 /var/named/named.skills
cd /var/named
cp -p named.localhost named.skills
vim /var/named/named.skills
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS linux1
NS linux2
linux1 A 10.4.1.101
linux2 A 10.4.1.102
linux3 A 10.4.1.103
web A 10.4.1.101
www A 10.4.1.101
~
# 反向区域文件 /var/named/named.10
cd /var/named
cp -p named.loopback named.10
vim /var/named/named.10
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS linux1.skills.lan.
NS linux2.skills.lan.
linux1 A 10.4.1.101
linux2 A 10.4.1.102
101 PTR linux1.skills.lan.
101 PTR web.skills.lan.
101 PTR www.skills.lan.
102 PTR linux2.skills.lan.
103 PTR linux3.skills.lan.
~
Linux2
vi /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
最后末尾加
zone "skills.lan" IN {
type slave;
file "named.skills";
masters { 10.4.1.101; };
};
zone "1.4.10.in-addr.arpa" IN {
type slave;
file "named.10";
masters { 10.4.1.101; };
};
#启动 named
systemctl restart named
systemctl enable --now named4. 配置自签名 CA 和证书
方法1:
Matlab
vim /etc/pki/tls/openssl.cnf //修改以下参数
[ CA_default ]
default_days = 3650
policy = policy_anything
[ usr_cert ]
subjectAltName=DNS:skills.lan,DNS:*.skills.lan
mkdir /etc/pki/CA
cd /etc/pki/CA
mkdir private newcerts
touch index.txt
echo 01 > serial
openssl genrsa -out /etc/pki/CA/private/cakey.pem
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 -subj "/CN=linux1.skills.lan"
cd /etc/pki/tls
openssl genrsa -out skills.key
openssl req -new -key /etc/pki/tls/skills.key -out /etc/pki/tls/skills.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=skills/OU=system/CN=skills.lan"
openssl ca -in /etc/pki/tls/skills.csr -out /etc/pki/tls/skills.crt -days 1825
浏览器访问https网站时,不出现证书警告信息。
cp /etc/pki/CA/cacert.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust
bash
# 创建 CA 目录
mkdir -p /etc/pki/CA
cd /etc/pki/CA
mkdir -p private
chmod 700 private
# 生成 CA 私钥和自签证书 (有效期 10 年)
openssl genrsa -out private/cakey.pem 2048
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=skills/OU=system/CN=linux1.skills.lan"
# 为 skills.lan 生成证书请求和私钥
cd /etc/pki/tls
openssl genrsa -out skills.key 2048
openssl req -new -key skills.key -out skills.csr \
-subj "/C=CN/ST=Beijing/O=skills/OU=system/CN=skills.lan"\
-addext "subjectAltName=DNS:skills.lan,DNS:*.skills.lan"
# 用 CA 签署证书 (有效期 5 年,txt 中显示 2031 年)
openssl x509 -req -in skills.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem \
-CAcreateserial -out skills.crt -days 1825 -extfile <(printf "subjectAltName=DNS:*.skills.lan,DNS:skills.lan")
# 生成 apache 使用的证书(自签,便于测试)
openssl req -new -x509 -nodes -out apache.crt -keyout apache.key -days 365 \
-subj "/CN=localhost"备用方法
Matlab
【#创建根私钥
openssl genrsa -out /etc/pki/CA/private/cakey.pem
cd /etc/pki/CA/
#创建根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 #天数
CN Beijing Beijing Skills System *.skills.lan
#在CA文件夹下创建 数据库索引文件 和 当前证书序列号
touch index.txt
echo 01 > serial
#导出安装用证书ca.pfx
mkdir -p certs
openssl pkcs12 -export -inkey private/cakey.pem -in cacert.pem -out certs/ca.pfx
#证书
openssl genrsa -out skills.key
openssl req -new -key skills.key -out skills.csr
CN=*.skills.lan,OU=System,O=Skills,L=Beijing,S=Beijing,C=CN
openssl ca -in skills.csr -out skills.crt -days 1825
openssl pkcs12 -export -inkey skills.key -in skills.crt -out skills.pfx】请采用 ansible ,实现自动化运维。
Matlab
yum install ansible*
vim /etc/ansible/hosts
[all]
10.4.1.102
10.4.1.103
ansible all -m ping \\查看受控情况节点 linux3.skills.lan (10.4.1.103) --- Samba, Podman
1. 安装软件包
Matlab
配置 Samba
yum -y install samba samba-client
#创建20个用户
[root@linux3 srv]# vi /222.sh
#!/bin/bash
for i in {00..20}
do
useradd user$i
done
bash /222.sh
#创建组
groupadd manager
groupadd dev
#修改用户的所属组
usermod user01 -g manager
usermod user00 -g manager
usermod user02 -g dev
usermod user03 -g dev
pdbedit -a user00
pdbedit -a user01
pdbedit -a user02
pdbedit -a user03
#创建目录
mkdir -p /srv/sharesmb
firewall-cmd --zone=public --add-service=samba
#编辑samba的配置文件
vim /etc/samba/smb.conf
[sharesmb]
path = /srv/sharesmb
valid users =@dev,@manager
write list = @ manager
writeable = yes
create mask = 6775
directory mask = 6755
#保存并退出:wq
systemctl enable --now smb
#加权限
chown -R root:dev /srv/sharesmb
chmod -R 775 /srv/sharesmb
chmod -R a+s /srv/sharesmb
setfacl -m g:dev:rx /srv/sharesmb/
setfacl -m g:manager:rwx /srv/sharesmb/
firewall-cmd --add-port={139,445}/tcp --per
setsebool -P samba_export_all_rw on
# smbclient 命令测试
yum -y install samba-client
smbclient //10.60.40.103/sharesmb/ -U user00
Password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.9-151.el6]
smb: \>
#测试user00上传文件
smbclient -c "put 1.txt" //localhost/sharesmb -U user00%Key-1122
cd /srv/sharesmb/
#查看ls
[root@localhost /]# smbclient -c "put 1.txt" //localhost/sharesmb -U user02%123
NT_STATUS_ACCESS_DENIED opening remote file \1.txt
[root@localhost /]# smbclient -c "rm 1.txt" //localhost/sharesmb -U user02%123备用
Matlab
bash
# 创建共享目录
mkdir -p /srv/sharesmb
chmod 777 /srv/sharesmb
# 创建 user00 ~ user19,设置统一密码(示例密码为 123456)
for i in $(seq -f "%02g" 0 19); do
useradd -m user$i
echo "user$i:123456" | chpasswd
done
# 添加 user00,user01 到 manager 组
usermod -aG manager user00
usermod -aG manager user01
# 添加 user02,user03 到 dev 组
usermod -aG dev user02
usermod -aG dev user03
# 将 user00-user03 添加为 Samba 用户(密码设为 samba123)
for u in user00 user01 user02 user03; do
echo -e "samba123\nsamba123" | smbpasswd -s -a $u
done
mkdir -p /srv/sharesmb
# 属组为 manager,权限 2770(setgid 保证新建文件继承组)
chown root:manager /srv/sharesmb
chmod 2770 /srv/sharesmb
# 添加粘滞位,防止用户删除他人文件
chmod +t /srv/sharesmb
# 配置 smb.conf
cat > /etc/samba/smb.conf << 'EOF'
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
cat > /etc/samba/smb.conf << 'EOF'
[global]
workgroup = SKILLS
server string = Samba Server %v
netbios name = linux3
security = user
map to guest = Bad User
passdb backend = tdbsam
[sharesmb]
path = /srv/sharesmb
valid users = @manager, @dev
write list = @manager
read only = no
create mask = 0660
directory mask = 0770
force create mode = 0660
force directory mode = 0770
inherit permissions = yes
inherit owner = yes
EOF
systemctl enable --now smb nmb4. 配置 Podman 容器(HTTP + Registry)
Matlab
bash
# 运行 httpd 容器(映射到 8000)
podman run -d --name httpd -p 8000:80 docker.io/library/httpd:latest
# 运行 registry 容器(带基本认证)
mkdir -p /opt/registry/auth
htpasswd -Bbn admin admin > /opt/registry/auth/htpasswd
podman run -d --name registry -p 5000:5000 \
-v /opt/registry/auth:/auth:Z \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
docker.io/library/registry:2
# 测试:拉取镜像并推送到本地 registry(让 txt 中 curl 返回 {"repositories":["rockylinux"]})
podman pull rockylinux:9
podman tag rockylinux:9 linux3.skills.lan:5000/rockylinux
podman push --tls-verify=false linux3.skills.lan:5000/rockylinux