|
#
1.資源池要展示的。 2.在初始化和后期是可以管理的。
分別在資源中心和基礎(chǔ)設(shè)施里面加模塊就可以了。
資源中心就是展示。
不參與管理。
資源中心全是統(tǒng)計(jì)性的和展示性的。
https://help.ubuntu.com/10.04/serverguide/kerberos.html Kerberos
Kerberos is a network authentication system based on the principal of a trusted third party.
The other two parties being the user and the service the user wishes to authenticate to. Not all services and applications
can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO).
This section covers installation and configuration of a Kerberos server, and some example client configurations.
If you are new to Kerberos there are a few terms that are good to
understand before setting up a Kerberos server. Most of the terms
will relate to things you may be familiar with in other
environments:
-
Principal: any users, computers, and services provided by servers need to be defined as Kerberos Principals.
-
Instances: are used for service principals and special administrative principals.
-
Realms: the unique realm of control provided by the Kerberos installation. Usually the DNS domain converted to
uppercase (EXAMPLE.COM).
-
Key Distribution Center: (KDC) consist of three parts, a database of all principals, the authentication server,
and the ticket granting server. For each realm there must be at least one KDC.
-
Ticket Granting Ticket: issued by the Authentication Server (AS), the Ticket Granting Ticket (TGT) is encrypted in
the user's password which is known only to the user and the KDC.
-
Ticket Granting Server: (TGS) issues service tickets to clients upon request.
-
Tickets: confirm the identity of the two principals. One principal being a user and the other a service requested by
the user. Tickets establish an encryption key used for secure communication during the authenticated session.
-
Keytab Files: are files extracted from the KDC principal database and contain the encryption key for a service or
host.
To put the pieces together, a Realm has at least one KDC,
preferably two for redundancy, which contains a database of Principals.
When a
user principal logs into a workstation, configured for Kerberos
authentication, the KDC issues a Ticket Granting Ticket (TGT). If the
user
supplied credentials match, the user is authenticated and can then
request tickets for Kerberized services from the Ticket Granting Server
(TGS). The service tickets allow the user to authenticate to the
service without entering another username and password.
Before installing the Kerberos server a properly configured DNS
server is needed for your domain. Since the Kerberos Realm by
convention matches the domain name, this section uses the example.com domain configured in
the section called “Primary Master”.
Also, Kerberos is a time sensitive protocol. So if the local
system time between a client machine and the server differs by
more than five minutes (by default), the workstation will not be
able to authenticate. To correct the problem all hosts
should have their time synchronized using the Network Time Protocol (NTP). For details
on setting up NTP see the section called “Time Synchronisation with NTP”.
The first step in installing a Kerberos Realm is to install the krb5-kdc and
krb5-admin-server packages. From a terminal enter:
sudo apt-get install krb5-kdc krb5-admin-server
You will be asked at the end of the install to supply a name for
the Kerberos and Admin servers, which may or may not be the
same server, for the realm.
Next, create the new realm with the kdb5_newrealm utility:
sudo krb5_newrealm
The questions asked during installation are used to configure the /etc/krb5.conf file. If you need to adjust
the Key Distribution Center (KDC) settings simply edit the file and restart the krb5-kdc daemon.
-
Now that the KDC running an admin user is needed. It is
recommended to use a different username from your everyday username.
Using the kadmin.local utility in a terminal prompt enter:
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc steve/admin
WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "steve/admin@EXAMPLE.COM":
Re-enter password for principal "steve/admin@EXAMPLE.COM":
Principal "steve/admin@EXAMPLE.COM" created.
kadmin.local: quit
In the above example steve is the Principal,
/admin is an Instance, and
@EXAMPLE.COM signifies the realm. The "every day"
Principal would be steve@EXAMPLE.COM, and should have only normal user rights.
![[Note]](https://help.ubuntu.com/libs/admon/note.png)
|
|
|
Replace EXAMPLE.COM and steve with your Realm and admin username.
|
-
Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions.
The permissions are configured in the /etc/krb5kdc/kadm5.acl file:
steve/admin@EXAMPLE.COM *
This entry grants steve/admin the ability to perform any operation on all principals in the realm.
-
Now restart the krb5-admin-server for the new ACL to take affect:
sudo /etc/init.d/krb5-admin-server restart
-
The new user principal can be tested using the kinit utility:
kinit steve/admin
steve/admin@EXAMPLE.COM's Password:
After entering the password, use the klist utility to view information about the
Ticket Granting Ticket (TGT):
klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: steve/admin@EXAMPLE.COM
Issued Expires Principal
Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM
You may need to add an entry into the /etc/hosts for the KDC. For example:
192.168.0.1 kdc01.example.com kdc01
Replacing 192.168.0.1 with the IP address of your KDC.
-
In order for clients to determine the KDC for the Realm some DNS SRV records are needed. Add the following to
/etc/named/db.example.com:
_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.
_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.
_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com.
_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com.
_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.
|
|
|
|
Replace EXAMPLE.COM, kdc01, and kdc02 with your
domain name, primary KDC, and secondary KDC.
|
See Chapter 7, Domain Name Service (DNS) for detailed instructions on setting up DNS.
Your new Kerberos Realm is now ready to authenticate clients.
Once you have one Key Distribution Center (KDC) on your network, it is good practice to have a Secondary KDC in case the
primary becomes unavailable.
-
First, install the packages, and when asked for the Kerberos and
Admin server names enter the name of the Primary KDC:
sudo apt-get install krb5-kdc krb5-admin-server
-
Once you have the packages installed, create the Secondary KDC's host principal. From a terminal prompt, enter:
kadmin -q "addprinc -randkey host/kdc02.example.com"
|
|
|
|
After, issuing any kadmin commands you will be prompted for your
username/admin@EXAMPLE.COM principal password.
|
-
Extract the keytab file:
kadmin -q "ktadd -k keytab.kdc02 host/kdc02.example.com"
-
There should now be a keytab.kdc02 in the current directory, move the file to
/etc/krb5.keytab:
sudo mv keytab.kdc02 /etc/krb5.keytab
|
|
|
|
If the path to the keytab.kdc02 file is different adjust accordingly.
|
Also, you can list the principals in a Keytab file, which can be useful when troubleshooting, using the
klist utility:
sudo klist -k /etc/krb5.keytab
-
Next, there needs to be a kpropd.acl file on each KDC that lists all KDCs for the Realm. For example,
on both primary and secondary KDC, create /etc/krb5kdc/kpropd.acl:
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
-
Create an empty database on the Secondary KDC:
sudo kdb5_util -s create
-
Now start the kpropd daemon, which listens for connections from the
kprop utility. kprop is used to transfer
dump files:
sudo kpropd -S
-
From a terminal on the Primary KDC, create a dump file of the principal database:
sudo kdb5_util dump /var/lib/krb5kdc/dump
-
Extract the Primary KDC's keytab file and copy it to /etc/krb5.keytab:
kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com"
sudo mv keytab.kdc01 /etc/kr5b.keytab
|
|
|
|
Make sure there is a host for kdc01.example.com before extracting the Keytab.
|
-
Using the kprop utility push the database to the Secondary KDC:
sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
|
|
|
|
There should be a SUCCEEDED message if the propagation worked. If there is an error
message check /var/log/syslog on the secondary KDC for more information.
|
You may also want to create a cron job to periodically update the database on the Secondary KDC. For
example, the following will push the database every hour:
# m h dom mon dow command
0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && /usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
-
Back on the Secondary KDC, create a stash file to hold the Kerberos
master key:
sudo kdb5_util stash
-
Finally, start the krb5-kdc daemon on the Secondary KDC:
sudo /etc/init.d/krb5-kdc start
The Secondary KDC should now be able to issue tickets for the Realm. You can test this by stopping
the krb5-kdc daemon on the Primary KDC, then use kinit to request a ticket.
If all goes well you should receive a ticket from the Secondary KDC.
This section covers configuring a Linux system as a Kerberos client. This will allow access
to any kerberized services once a user has successfully logged into the system.
In order to authenticate to a Kerberos Realm, the krb5-user and libpam-krb5
packages are needed, along with a few others that are not
strictly necessary but make life easier. To install the packages
enter the following in a terminal prompt:
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
The auth-client-config package allows simple configuration of PAM for authentication from multiple
sources, and the libpam-ccreds
will cache authentication credentials allowing you to login in case the
Key Distribution Center (KDC) is unavailable. This package is
also useful for laptops that may authenticate using Kerberos while
on the corporate network, but will need to be accessed off the
network as well.
To configure the client in a terminal enter:
sudo dpkg-reconfigure krb5-config
You will then be prompted to enter the name of the Kerberos
Realm. Also, if you don't have DNS configured with Kerberos
SRV records, the menu will prompt you for the hostname of the Key Distribution Center (KDC) and
Realm Administration server.
The dpkg-reconfigure adds entries to the /etc/krb5.conf file for your Realm.
You should have entries similar to the following:
[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = }
kdc = 192.168.0.1
admin_server = 192.168.0.1
}
You can test the configuration by requesting a ticket using the kinit utility. For example:
kinit steve@EXAMPLE.COM
Password for steve@EXAMPLE.COM:
When a ticket has been granted, the details can be viewed using klist:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: steve@EXAMPLE.COM
Valid starting Expires Service principal
07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/25/08 05:18:57
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
Next, use the auth-client-config to configure the libpam-krb5 module
to request a ticket during login:
sudo auth-client-config -a -p kerberos_example
You will should now receive a ticket upon successful login authentication.
一、什么是 SSL 證書,什么是 HTTPS SSL 證書是一種數(shù)字證書,它使用 Secure Socket Layer 協(xié)議在瀏覽器和 Web 服務(wù)器之間建立一條安全通道,從而實(shí)現(xiàn):
1、數(shù)據(jù)信息在客戶端和服務(wù)器之間的加密傳輸,保證雙方傳遞信息的安全性,不可被第三方竊聽(tīng);
2、用戶可以通過(guò)服務(wù)器證書驗(yàn)證他所訪問(wèn)的網(wǎng)站是否真實(shí)可靠。
(via百度百科) HTTPS 是以安全為目標(biāo)的 HTTP 通道,即 HTTP 下加入 SSL 加密層。HTTPS 不同于 HTTP 的端口,HTTP默認(rèn)端口為80,HTTPS默認(rèn)端口為443.
二、什么網(wǎng)站需要使用SSL證書 1、購(gòu)物交易類網(wǎng)站
不用多說(shuō),網(wǎng)上銀行、支付寶、Paypal等肯定會(huì)全程加密以保護(hù)你的信息安全。 2、注冊(cè)與登陸
一些大的網(wǎng)站,比如電子郵箱,注冊(cè)會(huì)員或者登陸的時(shí)候,會(huì)專門通過(guò)SSL通道,保證密碼安全不被竊取。 3、某些在線代理
這個(gè)。。。嗯哼,就不說(shuō)了。 4、裝B
比如我…… 三、自行頒發(fā)不受瀏覽器信任的SSL證書 為曬曬IQ網(wǎng)頒發(fā)證書。ssh登陸到服務(wù)器上,終端輸入以下命令,使用openssl生成RSA密鑰及證書。 # 生成一個(gè)RSA密鑰 $ openssl genrsa -des3 -out 33iq.key 1024 # 拷貝一個(gè)不需要輸入密碼的密鑰文件 $ openssl rsa -in 33iq.key -out 33iq_nopass.key # 生成一個(gè)證書請(qǐng)求 $ openssl req -new -key 33iq.key -out 33iq.csr # 自己簽發(fā)證書 $ openssl x509 -req -days 365 -in 33iq.csr -signkey 33iq.key -out 33iq.crt |
第3個(gè)命令是生成證書請(qǐng)求,會(huì)提示輸入省份、城市、域名信息等,重要的是,email一定要是你的域名后綴的。這樣就有一個(gè) csr 文件了,提交給 ssl 提供商的時(shí)候就是這個(gè) csr 文件。當(dāng)然我這里并沒(méi)有向證書提供商申請(qǐng),而是在第4步自己簽發(fā)了證書。 
編輯配置文件nginx.conf,給站點(diǎn)加上HTTPS協(xié)議 server { server_name YOUR_DOMAINNAME_HERE; listen 443; ssl on; ssl_certificate /usr/local/nginx/conf/33iq.crt; ssl_certificate_key /usr/local/nginx/conf/33iq_nopass.key; # 若ssl_certificate_key使用33iq.key,則每次啟動(dòng)Nginx服務(wù)器都要求輸入key的密碼。 } |
重啟Nginx后即可通過(guò)https訪問(wèn)網(wǎng)站了。 自行頒發(fā)的SSL證書能夠?qū)崿F(xiàn)加密傳輸功能,但瀏覽器并不信任,會(huì)出現(xiàn)以下提示:
 四、受瀏覽器信任的證書 要獲取受瀏覽器信任的證書,則需要到證書提供商處申請(qǐng)。證書授證中心,又叫做CA機(jī)構(gòu),為每個(gè)使用公開(kāi)密鑰的用戶發(fā)放一個(gè)數(shù)字證書。瀏覽器在默認(rèn)情況下內(nèi)置了一些CA機(jī)構(gòu)的證書,使得這些機(jī)構(gòu)頒發(fā)的證書受到信任。VeriSign即 是一個(gè)著名的國(guó)外CA機(jī)構(gòu),工行、建行、招行、支付寶、財(cái)付通等網(wǎng)站均使用VeriSign的證書,而網(wǎng)易郵箱等非金融網(wǎng)站采用的是中國(guó)互聯(lián)網(wǎng)信息中心 CNNIC頒發(fā)的SSL證書。一般來(lái)說(shuō),一個(gè)證書的價(jià)格不菲,以VeriSign的證書為例,價(jià)格在每年8000元人民幣左右。 據(jù)說(shuō)也有免費(fèi)的證書可以申請(qǐng)。和VeriSign一樣,StartSSL也 是一家CA機(jī)構(gòu),它的根證書很久之前就被一些具有開(kāi)源背景的瀏覽器支持(Firefox瀏覽器、谷歌Chrome瀏覽器、蘋果Safari瀏覽器等)。后 來(lái)StartSSL竟然搞定了微軟:在升級(jí)補(bǔ)丁中,微軟更新了通過(guò)Windows根證書認(rèn)證(Windows Root Certificate Program)的廠商清單,并首次將StartCom公司列入了該認(rèn)證清單。現(xiàn)在,在Windows 7或安裝了升級(jí)補(bǔ)丁的Windows Vista或Windows XP操作系統(tǒng)中,系統(tǒng)會(huì)完全信任由StartCom這類免費(fèi)數(shù)字認(rèn)證機(jī)構(gòu)認(rèn)證的數(shù)字證書,從而使StartSSL也得到了IE瀏覽器的支持。(來(lái)源及申請(qǐng)步驟) 五、只針對(duì)注冊(cè)、登陸進(jìn)行https加密處理 既然HTTPS能保證安全,為什么全世界大部分網(wǎng)站都仍舊在使用HTTP呢?使用HTTPS協(xié)議,對(duì)服務(wù)器來(lái)說(shuō)是很大的負(fù)載開(kāi)銷。從性能上考慮,我 們無(wú)法做到對(duì)于每個(gè)用戶的每個(gè)訪問(wèn)請(qǐng)求都進(jìn)行安全加密(當(dāng)然,Google這種大神除外)。作為一個(gè)普通網(wǎng)站,我們所追求的只是在進(jìn)行交易、密碼登陸等操 作時(shí)的安全。通過(guò)配置Nginx服務(wù)器,可以使用rewrite來(lái)做到這一點(diǎn)。 在https server下加入如下配置: if ($uri !~* "/logging.php$") { rewrite ^/(.*)$ http://$host/$1 redirect; } |
在http server下加入如下配置: if ($uri ~* "/logging.php$") { rewrite ^/(.*)$ https://$host/$1 redirect; } |
這樣一來(lái),用戶會(huì)且只會(huì)在訪問(wèn)logging.php的情況下,才會(huì)通過(guò)https訪問(wèn)。 更新:有一些開(kāi)發(fā)框架會(huì)根據(jù) $_SERVER['HTTPS'] 這個(gè) PHP 變量是否為 on 來(lái)判斷當(dāng)前的訪問(wèn)請(qǐng)求是否是使用 https。為此我們需要在 Nginx 配置文件中添加一句來(lái)設(shè)置這個(gè)變量。遇到 https 鏈接重定向后會(huì)自動(dòng)跳到 http 問(wèn)題的同學(xué)可以參考一下。 server { ... listen 443; location \.php$ { ... include fastcgi_params; fastcgi_param HTTPS on; # 多加這一句 } } server { ... listen 80; location \.php$ { ... include fastcgi_params; } } |
參考鏈接:
http://zou.lu/nginx-https-ssl-module
http://blog.s135.com/startssl/
http://www.baalchina.net/2008/08/nginx-https-rewrite/
com.mysql.jdbc.CommunicationsException: The last packet
successfully received from the server was58129 seconds ago.The last
packet sent successfully to the server was 58129 seconds ago, which is
longer than the server configured value of 'wait_timeout'. You should
consider either expiring and/or testing connection validity before use
in your application, increasing the server configured values for client
timeouts, or using the Connector/J connection property
'autoReconnect=true' to avoid this problem.
查了一下,原來(lái)是mysql超時(shí)設(shè)置的問(wèn)題
如果連接閑置8小時(shí) (8小時(shí)內(nèi)沒(méi)有進(jìn)行數(shù)據(jù)庫(kù)操作), mysql就會(huì)自動(dòng)斷開(kāi)連接, 要重啟tomcat.
解決辦法:
一種. 如果不用hibernate的話, 則在 connection url中加參數(shù): autoReconnect=true
jdbc.url=jdbc:mysql://ipaddress:3306/database?autoReconnect=true&autoReconnectForPools=true
二種。用hibernate的話, 加如下屬性:
<property name="connection.autoReconnect">true</property>
<property name="connection.autoReconnectForPools">true</property>
<property name="connection.is-connection-validation-required">true</property>
三。要是還用c3p0連接池:
<property name="hibernate.c3p0.acquire_increment">1</property>
<property name="hibernate.c3p0.idle_test_period">0</property>
<property name="hibernate.c3p0.timeout">0</property>
<property name="hibernate.c3p0.validate">true</property>
四。最不好的解決方案
使用Connector/J連接MySQL數(shù)據(jù)庫(kù),程序運(yùn)行較長(zhǎng)時(shí)間后就會(huì)報(bào)以下錯(cuò)誤:
Communications link failure,The last packet successfully received
from the server was *** millisecond ago.The last packet successfully
sent to the server was *** millisecond ago。
其中錯(cuò)誤還會(huì)提示你修改wait_timeout或是使用Connector/J的autoReconnect屬性避免該錯(cuò)誤。
后來(lái)查了一些資料,才發(fā)現(xiàn)遇到這個(gè)問(wèn)題的人還真不少,大部分都是使用連接池方式時(shí)才會(huì)出現(xiàn)這個(gè)問(wèn)題,短連接應(yīng)該很難出現(xiàn)這個(gè)問(wèn)題。這個(gè)問(wèn)題的原因:
MySQL服務(wù)器默認(rèn)的“wait_timeout”是28800秒即8小時(shí),意味著如果一個(gè)連接的空閑時(shí)間超過(guò)8個(gè)小時(shí),MySQL將自動(dòng)斷開(kāi)該連接,而連接池卻認(rèn)為該連接還是有效的(因?yàn)椴⑽葱r?yàn)連接的有效性),當(dāng)應(yīng)用申請(qǐng)使用該連接時(shí),就會(huì)導(dǎo)致上面的報(bào)錯(cuò)。
1.按照錯(cuò)誤的提示,可以在JDBC
URL中使用autoReconnect屬性,實(shí)際測(cè)試時(shí)使用了autoReconnect=true&
failOverReadOnly=false,不過(guò)并未起作用,使用的是5.1版本,可能真像網(wǎng)上所說(shuō)的只對(duì)4之前的版本有效。
2.沒(méi)辦法,只能修改MySQL的參數(shù)了,wait_timeout最大為31536000即1年,在my.cnf中加入:
[mysqld]
wait_timeout=31536000
interactive_timeout=31536000
重啟生效,需要同時(shí)修改這兩個(gè)參數(shù)
SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO" NO_AUTO_VALUE_ON_ZERO影響AUTO_INCREMENT列的處理。一般情況,你可以向該列插入NULL或0生成下一個(gè)序列號(hào)。NO_AUTO_VALUE_ON_ZERO禁用0,因此只有NULL可以生成下一個(gè)序列號(hào)。 如
果將0保存到表的AUTO_INCREMENT列,該模式會(huì)很有用。(不推薦采用該慣例)。例如,如果你用mysqldump轉(zhuǎn)儲(chǔ)表并重載,MySQL遇
到0值一般會(huì)生成新的序列號(hào),生成的表的內(nèi)容與轉(zhuǎn)儲(chǔ)的表不同。重載轉(zhuǎn)儲(chǔ)文件前啟用NO_AUTO_VALUE_ON_ZERO可以解決該問(wèn)題。
8 Virtual Desktop program: Ulteo, NX Enteprise Server, FoSS CLOUD, Orcale Virtualbox, Thinstuff, JetClouding, Go Grid,2xCloud Computing
sudo qemu-img create -f qcow2 -o size=30240M,preallocation=metadata win2003_hda.img http://blog.kreyolys.com/2011/09/27/kvm-virtual-machines-disk-format-file-basedqcow2-or-block-devicelvm2/---比較 sudo virt-install \
--name win2003_test \
--ram=1024 \
--vcpus=2 \
--disk /kvm/win2003_hda.img,bus=virtio \
--network bridge:br0,model=virtio \
--vnc \
--accelerate \
-c /share/os/win2003-i386.iso \
--disk /home/kvm/virtio-win-1.1.16.vfd,device=floppy \
-c /home/kvm/virtio-win-0.1-22.iso \
--os-type=windows \
--os-variant=win2k3 \
--noapic \
--connect \
qemu:///system \
--hvm http://www.howtoforge.com/installing-kvm-guests-with-virt-install-on-ubuntu-12.04-lts-server 半虛擬化參考: #!/bin/sh WINISO=/path/to/win7.iso #Windows ISO INSTALLDISK=win7virtio.img #Disk location. Can be LVM LV VFD=http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/virtio-win-1.1.16.vfd DRVRISO=http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/virtio-win-0.1-22.iso [ -e $(basename $VFD) ] || wget $VFD [ -e $(basename $DRVRISO) ] || wget $DRVRISO [ -e $INSTALLDISK ] || qemu-img create $INSTALLDISK 30G sudo virt-install -c qemu:///system --virt-type kvm --name win7virtio --ram 1024 --disk path="$INSTALLDISK",bus=virtio \ --disk $(basename $VFD),device=floppy --os-variant win7 --cdrom $(basename $DRVRISO) --cdrom "$WINISO" --vcpus 2 ENDING OF BASH SCRIPT
其他參考: In my previous article KVM Guests: Using Virt-Install to Import an Existing Disk Image we discussed how to use virt-install to import an existing disk image, which already has an OS installed into it. Additionally in KVM Guests: Using Virt-Install to Install Debian and Ubuntu Guests I documented how to initiate an install directly off of the apt mirror of your choice for Debian and Ubuntu Guests using virt-install. In this article we will use virt-install to create a guest and begin the installation using a CD or ISO image for installation media. Assumptions I Have Made - My KVM host is Ubuntu 10.10 and I am assuming that yours is as well. If it is not then the syntax might be slightly different or may not include the same features.
- That you have kvm installed on the host and you can manually create VMs using virt-manager and they work perfectly.
- That you have a bridge configured and working on other guests.
- That you have virt-install and libvirt-bin installed as well as virt-manager or virt-viewer so that you can complete the install after the virt-install command has completed.
- That you are trying to import disk images that support VirtIO devices (most recent Linux distributions, Windows does not natively support the VirtIO interface, so you will had to have manually installed the VirtIO drivers into your disk image).
The Basic Command # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntu --disk /kvm/images/disk/vmname_boot.img,device=disk,bus=virtio,size=40,sparse=true,format=raw -w bridge=br0,model=virtio --vnc --noautoconsole -c /kvm/images/iso/ubuntu.iso Parameters Detailed - -n vmname [the name of your VM]
- -r 2048 [the amount of RAM in MB for your VM]
- –os-type=linux [the type of OS linux or windows]
- –os-variant=ubuntu [the distribution or version of Windows for a full list see man virt-install]
- –disk /kvm/images/disk/vmname_boot.img,device=disk,bus=virtio,size=40,sparse=true,format=raw [this is a long one you define the path, then comma delimited options, device is the type of storage cdrom, disk, floppy, bus is the interface ide, scsi, usb, virtio - virtio is the fastest but you need to install the drivers for Windows and older versions of Linux don't have support]
- -w bridge=br0,model=virtio [the network configuration, in this case we are connecting to a bridge named br0, and using the virtio drivers which perform much better if you are using an OS which doesn't support virtio you can use e1000 or rtl8139. You could alternatively use --nonetworks if you do not need networking]
- –vnc [configures the graphics card to use VNC allowing you to use virt-viewer or virt-manager to see the desktop as if you were at the a monitor of a physical machine]
- –noautoconsole [configures the installer to NOT automatically try to open virt-viewer to view the console to complete the installation - this is helpful if you are working on a remote system through SSH]
- -c /kvm/images/iso/ubuntu.iso [this option specifies the cdrom device or iso image with which to boot off of. You could additionally specify the cdrom device as a disk device, and not use the -c option, it will then boot off of the cdrom if you don't specify another installation method]
LVM Disk Variation # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntulucid --disk /dev/vg_name/lv_name,device=disk,bus=virtio -w bridge=br0,model=virtio --vnc --noautoconsole -c /kvm/images/iso/ubuntu.iso No VirtIO Variation (Uses IDE and e1000 NIC Emulation) # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntulucid --disk /kvm/images/disk/vmname_boot.img,device=disk,bus=ide,size=40,sparse=true,format=raw -w bridge=br0,model=e1000 --vnc --noautoconsole -c /kvm/images/iso/ubuntu.iso Define VM Without Installation Method # virt-install -n vmname -r 2048 --os-type=linux --os-variant=ubuntulucid --disk /kvm/images/disk/vmname_boot.img,device=disk,bus=virtio,size=40,sparse=true,format=raw --disk /kvm/images/iso/ubuntu.iso,device=cdrom -w bridge=br0,model=virtio --vnc --noautoconsole
################### #安裝Xming 和 Putty: ################### Xming是一個(gè)在Microsoft Windows操作系統(tǒng)上運(yùn)行X Window System(也常稱為X11或X X的工作站)的自由軟件,可用于在Windows運(yùn)行Linux的程序(需要在本地Windows上運(yùn)行一個(gè)X Server,即是本程序)。 Linux 以及各種Unix like的操作系統(tǒng)現(xiàn)在都用基于X Window圖形界面。但是由于體積臃腫導(dǎo)致在Linux運(yùn)行3D游戲十分困難。但是得益于其接口良好、擴(kuò)展性和可移植性優(yōu)秀的特點(diǎn)(重要的是具有網(wǎng)絡(luò)透 明性),利用它可以很方便的遠(yuǎn)程啟動(dòng)Linux的圖形程序。 下載地址: https://sourceforge.net/projects/xming/ 或者 http://www.straightrunning.com/XmingNotes/ Xming 用OpenGL展示界面 Xming-fonts 標(biāo)準(zhǔn)X字體,部分傳統(tǒng)的X應(yīng)用的顯示也需要這些字體 Xming-mesa 用更慢的Mesa展示界面, 有時(shí)X轉(zhuǎn)發(fā)會(huì)更好 Xming-portable-PuTTY 提供X界面轉(zhuǎn)發(fā)ssh程序 Xming-tools-and-clients 提供一些X應(yīng)用專用的工具 Putty: http://www.putty.org/ #################################################### # 通過(guò)SSH來(lái)使用Xming,在putty terminal 中打開(kāi)Linux下的圖形界面 #################################################### 1)保證Linux server中 /etc/ssh/sshd_config X11Forwarding yes 2)Putty中X11 forwarding: Putty Configuration-->Preffered SSH protocal version->SSH版本是2. Connection-->SSH-->X11-->Enable X11 forwarding, X display location填上localhost:0, 下面的協(xié)議選擇MIT-Magic-Cookie-1. 3)windows下起linux下的圖形界面 啟動(dòng)Xming,"Display number"中的數(shù)字, 使用默認(rèn)的0. 使用Putty連接Linux server,在putty終端下運(yùn)行 set DISPLAY=10.160.13.229:0(注意:這里IP是Xming安裝程序所在的主機(jī)的IP地址,即:X Server的IP地址,這里就是你的windows的地址,X Client是linux 服務(wù)器) (DISPLAY 環(huán)境變量格式如下hostname: displaynumber.screennumber,我們需要知道,在某些機(jī)器上,可能有多個(gè)顯示設(shè)備共享使用同一套輸入設(shè)備,例如在一臺(tái)PC上連接 兩臺(tái)CRT顯示器,但是它們只共享使用一個(gè)鍵盤和一個(gè)鼠標(biāo)。這一組顯示設(shè)備就擁有一個(gè)共同的displaynumber,而這組顯示設(shè)備中的每個(gè)單獨(dú)的設(shè) 備則擁有自己?jiǎn)为?dú)的 screennumber。displaynumber和screennumber都是從零開(kāi)始的數(shù)字。這樣,對(duì)于我們普通用戶來(lái)說(shuō), displaynumber、screennumber就都是0。 hostname指Xserver所在的主機(jī)主機(jī)名或者ip地址, 圖形將顯示在這一機(jī)器上, 可以是啟動(dòng)了圖形界面的Linux/Unix機(jī)器, 也可以是安裝了Exceed, X-Deep/32等Windows平臺(tái)運(yùn)行的Xserver的Windows機(jī)器.如果Host為空, 則表示Xserver運(yùn)行于本機(jī), 并且圖形程序(Xclient)使用unix socket方式連接到Xserver, 而不是TCP方式. 使用TCP方式連接時(shí), displaynumber為連接的端口減去6000的值, 如果displaynumber為0, 則表示連接到6000端口; 使用unix socket方式連接時(shí)則表示連接的unix socket的路徑,如果displaynumber為0, 則表示連接到/tmp/.X11-unix/X0 . creennumber則幾乎總是0. ) 然后運(yùn)行g(shù)vim,發(fā)現(xiàn)linux下的gvim顯示在你的windows桌面上了。 如果出現(xiàn): Xlib: connection to "10.160.13.229:0.0" refused by server Xlib: No protocol specified 在右下角點(diǎn)擊Xming server的view log,發(fā)現(xiàn)有如下消息 AUDIT: ... Xming: client 4 rejected from IP 10.160.23.18 這個(gè)10.160.23.18正是linux server的地址 解決辦法:
右鍵桌面上的Xming圖標(biāo),修改Xming的命令,取消權(quán)限控制,使用-ac選項(xiàng):
C:\Program Files\XMing\Xming.exe :0 -clipboard -multiwindow -ac 然后啟動(dòng)Xming,發(fā)現(xiàn)可以在windows下顯示linux的圖形界面了。。
Nginx 的 location 指令,允許對(duì)不同的 URI 進(jìn)行不同的配置,既可以是字符串,也可以是正則表達(dá)式。使用正則表達(dá)式,須使用以下前綴:
(1) ~*, 表示不區(qū)分大小寫的匹配。
(2) ~, 表示區(qū)分大小寫的匹配。
對(duì)于非正則的匹配,即字符串匹配,有如下前綴:
(1) ^~, 表示匹配到字符串后,終止正則匹配。
(2) =, 表示精確匹配。
(3) @, 當(dāng)然,這個(gè)也算不上字符串匹配。如果可以,你也可以將其理解成是正則匹配。它是一個(gè)命名標(biāo)記,這種 location 不會(huì)用于正常的請(qǐng)求,它們通常只用于處理內(nèi)部的重定向。
在匹配過(guò)程中,Nginx 將首先匹配字符串,然后匹配正則表達(dá)式。匹配到第一個(gè)正則表達(dá)式后,會(huì)停止搜索。如果匹配到正則表達(dá)式,則使用正則表達(dá)式的搜索結(jié)果,如果沒(méi)有匹配到正則表達(dá)式,則使用字符串的搜索結(jié)果。
上面這段話的意思是說(shuō),有一個(gè)字符串和正則表達(dá)式均能匹配上,那么會(huì)使用正則表達(dá)式的搜索結(jié)果。這里,我們可以使用前綴"^~" 來(lái)禁止匹配到字符串后,繼續(xù)檢查正則表達(dá)式。匹配到 URI 后,將停止搜索。
使用前綴 "=" 可以進(jìn)行精確的 URI 匹配,如果找到匹配的 URI,則停止搜索。"location = /" 只能匹配到 "/",而 "/test.html" 則不能被匹配。
正則表達(dá)式的匹配,按照它們?cè)谂渲梦募械捻樞蜻M(jìn)行,寫在前面的優(yōu)先。
另外,前綴 "@" 是一個(gè)命名標(biāo)記,這種 location 不會(huì)用于正常的請(qǐng)求,它們通常只用于處理內(nèi)部的重定向(例如:error_page, try_files)。
最后總結(jié)一下匹配的過(guò)程:
(1) 前綴 "=" 先進(jìn)行匹配,如果找到了,終止搜索。
(2) 對(duì)所有其它 location 進(jìn)行非正則的匹配,找到最精確匹配(對(duì)于 /blog/admin/ 這個(gè) URI, location /blog 要比 location / 長(zhǎng),因此 location /blog 要比 location / 要精確)的那個(gè)。如果找到的這個(gè)是帶"^~" 前綴的,則終止搜索并直接返回找到的這個(gè),否則開(kāi)始正則查找。會(huì)不會(huì)出現(xiàn)所有的非正則匹配都無(wú)法匹配到 URI 呢,當(dāng)然,你若不定義一個(gè) location /,這種情況的確會(huì)發(fā)生,沒(méi)關(guān)系啊,它會(huì)進(jìn)行正則查找的。
(3) 正則查找,按照我們配置文件中配置的 location 順序進(jìn)行查找。
(4) 如果正則查找匹配成功,則使用此正則匹配的 location,否則,使用第二步查找的結(jié)果。如果『否則』發(fā)生了,同時(shí),第二步中的粗體字部分的假設(shè)的情況也發(fā)生了,怎么辦?404 會(huì)等著你的。
參考:nginx location的管理以及查找
例子: location = / {
# 只匹配 / 查詢。
[ configuration A ]
} location / {
# 匹配任何查詢,因?yàn)樗姓?qǐng)求都已 / 開(kāi)頭。但是正則表達(dá)式規(guī)則和長(zhǎng)的塊規(guī)則將被優(yōu)先和查詢匹配。
[ configuration B ]
} location ^~ /images/ {
# 匹配任何已 /images/ 開(kāi)頭的任何查詢并且停止搜索。任何正則表達(dá)式將不會(huì)被測(cè)試。
[ configuration C ]
} location ~* \.(gif|jpg|jpeg)$ {
# 匹配任何已 gif、jpg 或 jpeg 結(jié)尾的請(qǐng)求。然而所有 /images/ 目錄的請(qǐng)求將使用 Configuration C。
[ configuration D ]
} 例子請(qǐng)求: 1, / -> 精確匹配到第1個(gè)location,匹配停止,使用configuration A
2,/some/other/url -> 首先前綴部分字符串匹配到了第2個(gè)location,然后進(jìn)行正則匹配,顯然沒(méi)有匹配上,則使用第2個(gè)location的配置configurationB
3,/images /1.jpg -> 首先前綴部分字符串匹配到了第2個(gè)location,但是接著對(duì)第3個(gè)location也前綴匹配上了,而且這時(shí)已經(jīng)是配置文件里面對(duì)這個(gè)url的最大字 符串匹配了,并且location帶有 "^~" 前綴,則不再進(jìn)行正則匹配,最終使用configuration C
4,/some/other/path/to/1.jpg -> 首先前綴部分同樣字符串匹配到了第2個(gè)location,然后進(jìn)行正則匹配,這時(shí)正則匹配成功,則使用congifuration D 注意:按任意順序定義這4個(gè)配置結(jié)果將仍然一樣。
網(wǎng)上搜索到的是在配置文件中添加:
optimize_server_names off;
server_name_in_redirect off;
但在nginx0.8.38中提示:
Restarting nginx: [warn]: the "optimize_server_names" directive is deprecated, use the "server_name_in_redirect" directive instead in /etc/nginx/nginx.conf:44
[emerg]: "server_name_in_redirect" directive is duplicate in /etc/nginx/nginx.conf:45
configuration file /etc/nginx/nginx.conf test failed
大意是說(shuō):
optimize_server_names已經(jīng)被棄用,只用server_name_in_redirect即可。
因此,只需在nginx.conf中添加以下一行即可。
server_name_in_redirect off;
|