关于 一月, 2015 的文章
在CentOS 6上部署OpenVPN Server
由 mcsrainbow 发表在 Linux&Unix 分类,时间 2015/01/30
参考资料:
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
http://www.unixmen.com/setup-openvpn-server-client-centos-6-5/
http://docs.ucloud.cn/software/vpn/OpenVPN4CentOS.html
背景介绍:
最近,GFW开始针对VPN进行了屏蔽,之前在VPS上搭建的PPTP/L2TP VPN在有些时候都开始变得不稳定了。
因此,打算在VPS上再搭建一个OpenVPN Server,以备不时之需。
相关配置:
OS: CentOS 6.4 x86_64 Minimal
1. 安装EPEL扩展库
# yum install http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
2. 安装所需依赖软件包
# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
3. 安装OpenVPN
# yum install openvpn
4. 下载easy-rsa 2.x
# wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
# unzip 2.x.zip
# cd easy-rsa-release-2.x
# cp -rf easy-rsa /etc/openvpn/
5. 配置easy-rsa vars
# cd /etc/openvpn/easy-rsa/2.0/
# ln -s openssl-1.0.0.cnf openssl.cnf
# chmod +x vars
修改vars文件中以下配置项:
# vim vars
... # Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=1024 ... # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="JP" export KEY_PROVINCE="JP" export KEY_CITY="Tokyo" export KEY_ORG="heylinux.com" export KEY_EMAIL="guosuiyu@gmail.com" export KEY_OU="MyOrganizationalUnit" ...
执行vars文件使环境变量生效:
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
6. 生成所需的各种证书文件
清除旧的证书:
# ./clean-all
生成服务器端CA证书,由于在vars文件中做过缺省设置,在出现交互界面时,直接一路回车即可:
# ./build-ca
Generating a 1024 bit RSA private key ..............................++++++ .....................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [JP]: Locality Name (eg, city) [Tokyo]: Organization Name (eg, company) [heylinux.com]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [heylinux.com CA]: Name [EasyRSA]: Email Address [guosuiyu@gmail.com]:
生成服务器证书,仍然是在出现交互界面时,直接一路回车,并在结尾询问[y/n]时输入y即可:
# ./build-key-server heylinux.com
Generating a 1024 bit RSA private key ............++++++ ................++++++ writing new private key to 'heylinux.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [JP]: Locality Name (eg, city) [Tokyo]: Organization Name (eg, company) [heylinux.com]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [heylinux.com]: Name [EasyRSA]: Email Address [guosuiyu@gmail.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'JP' localityName :PRINTABLE:'Tokyo' organizationName :PRINTABLE:'heylinux.com' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'heylinux.com' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'guosuiyu@gmail.com' Certificate is to be certified until Jan 26 09:49:38 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
生成DH验证文件:
# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ................................+.............++*++*++*
生成TLS私密文件:
# cd keys
# openvpn –genkey –secret ta.key
# cd ..
生成客户端证书,例如eric与rainbow两个用户:
# ./build-key eric
Generating a 1024 bit RSA private key .++++++ ..........................................................................++++++ writing new private key to 'eric.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [JP]: Locality Name (eg, city) [Tokyo]: Organization Name (eg, company) [heylinux.com]:nginxs.com Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [eric]: Name [EasyRSA]: Email Address [guosuiyu@gmail.com]:eric@nginxs.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'JP' localityName :PRINTABLE:'Tokyo' organizationName :PRINTABLE:'nginxs.com' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'eric' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'eric@nginxs.com' Certificate is to be certified until Jan 26 09:52:03 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
# ./build-key rainbow
Generating a 1024 bit RSA private key ......................++++++ ......................++++++ writing new private key to 'rainbow.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [JP]: Locality Name (eg, city) [Tokyo]: Organization Name (eg, company) [heylinux.com]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [rainbow]: Name [EasyRSA]: Email Address [guosuiyu@gmail.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'JP' localityName :PRINTABLE:'Tokyo' organizationName :PRINTABLE:'heylinux.com' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'rainbow' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'guosuiyu@gmail.com' Certificate is to be certified until Jan 26 09:52:49 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
7. 编辑服务器配置文件:
# vim /etc/openvpn/server.conf
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/heylinux.com.crt key /etc/openvpn/easy-rsa/2.0/keys/heylinux.com.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.192.170.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 172.31.0.2" push "dhcp-option DOMAIN-SEARCH ap-northeast-1.compute.internal" push "dhcp-option DOMAIN-SEARCH ec2.drawbrid.ge" client-to-client keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3
注解:在以上配置文件中,
采用了udp协议,较tcp协议而言,在较差的网络情况下效果更好;
指定了ca, cert, key, dh等文件的具体路径;
分配了virtual IP地址段10.192.170.0给VPN客户端;
启用了ipp.txt作为客户端和virtual IP的对应表,以方便客户端重新连接可以获得同样的IP;
启用了redirect-gateway的push功能,这样客户端会在连接后默认设置为所有流量都经过服务器;
启用了dhcp-option的push功能,这样可以将EC2的默认DNS解析配置推送到客户端,并自动配置其DNS解析文件(如MacOS中的/etc/resolv.conf);
启用了client-to-client,使客户端之间能够直接通讯;
启用了nobody作为user和group来降低OpenVPN的执行用户权限;
启用了TLS认证;
启用了lzo压缩;
指定了独立的日志文件;
创建日志文件目录:
# mkdir -p /var/log/openvpn
# chown openvpn:openvpn /var/log/openvpn
8. 启动OpenVPN服务
# /etc/init.d/openvpn start
# chkconfig openvpn on
9. 配置服务器,开启NAT数据转发和相关端口
# vim /etc/sysctl.conf
... net.ipv4.ip_forward = 1 ...
# sysctl -p
# iptables -t nat -A POSTROUTING -s 10.192.170.0/24 -o eth0 -j MASQUERADE
# iptables -A INPUT -p udp –dport 1194 -j ACCEPT
# iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# /etc/init.d/iptables save
# /etc/init.d/iptables restart
# chkconfig iptables on
注意:如果使用的是云主机如EC2,端口过滤相关的配置则需要跳过,然后到Security Group中进行设置。
10. 配置OpenVPN客户端
将服务器端生成的相关证书统一复制到一处,如针对rainbow用户:
# mkdir -p /home/rainbow/tmp/openvpn_heylinux
# cd /home/rainbow/tmp/openvpn_heylinux
# cp -rpa /etc/openvpn/easy-rsa/2.0/keys/ta.key .
# cp -rpa /etc/openvpn/easy-rsa/2.0/keys/ca.crt .
# cp -rpa /etc/openvpn/easy-rsa/2.0/keys/rainbow.crt .
# cp -rpa /etc/openvpn/easy-rsa/2.0/keys/rainbow.key .
配置rainbow用户的ovpn配置文件:
# vim rainbow.ovpn
client dev tun proto udp remote 54.238.131.140 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert rainbow.crt key rainbow.key remote-cert-tls server tls-auth ta.key 1 comp-lzo verb 3
将相关证书文件与ovpn配置打包:
# cd /home/rainbow/tmp
# tar cf openvpn_heylinux.tar openvpn_heylinux
将打包过后的openvpn_heylinux.tar下载到本地;
在Windows中,下载并安装OpenVPN Client:
下载地址:http://openvpn.net/index.php/download.html
然后将相关的证书文件和rainbow.ovpn配置放到C:/Program Files/OpenVPN/config目录下,到桌面双击OpenVPN图标并选择指定的选项即可;
在MacOS中,下载并安装Tunnelblick:
下载地址:https://code.google.com/p/tunnelblick/
然后,将openvpn_heylinux.tar解压并重命名为heylinux.com.tblk;
再通过Finder找到heylinux.com.tblk并双击即可;
11. 以下,是我在MacOS中成功连接后的相关截图:
12. 更简单容易的解决方案:https://www.digitalocean.com/community/tutorials/openvpn-access-server-centos
Hadoop运维笔记 之 Datanode的Last Contact值异常增大导致频繁出现Deadnode
由 mcsrainbow 发表在 Linux&Unix 分类,时间 2015/01/15
我们在线上采用的是CDH的Hadoop发行版,但从CDH3迁移到CDH5之后,Bug层出不穷。:(
CDH5.0.x版本没有什么严重的Bug,但是Namenode之间的状态同步却有问题。
具体表现为,在需要Decommission某个节点时,必须在Active Namenode上操作,如果在Standby Namenode上操作,其Decommissioning状态不会同步到Active Namenode上,也不会真正的Decommissioning。
而即使在Active Namenode上操作的话,Decommissioned状态也不会同步到Standby Namenode;
通过升级到CDH5.1.0之后,我们解决了这个问题,但没想到的是,后面版本的Bug会更加严重。
在CDH5.1.0版本中,有严重的snapshot操作导致edits记录紊乱使Namenode崩溃的问题,在定位到了其匹配的Bug后,我们只能继续通过升级到CDH5.2.0解决这个问题。
但CDH5.2.0又引入了一个新的Bug,就是Namenode与Datanode的心跳会因为正在运行的job而被block,虽然Datanode的负载并不高,但仍然会导致Last Contact值不断增大。
而默认的心跳超时时间是630秒,超过这个数值之后,Namenode就自动将Datanode列入Deadnodes当中。
我们所有的开发和运维花费了一周的时间做各种分析和调试,都没能解决这个问题,也没有找到与问题完全匹配的Bug。
最后,因为一个同行的哥们儿也遇到了相同的问题,他通过升级到CDH5.3.0将问题解决了。
于是,我们在无计可施的情况下,也升级到了CDH5.3.0,果然解决了Last Contact值增高的心跳问题。
于此,不得不感叹,CDH5的Bug真是多,有的还会导致非常严重的问题,但目前已经上了贼船,也就只能自求多福了。
从CDH5.2.0之前的旧版本直接升级到CDH5.3.0的文档:
http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cdh_ig_earlier_cdh5_upgrade.html
从CDH5.2.0升级到CDH5.3.0的文档:
http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cdh_ig_cdh5beta1_to_latest_upgrade.html
升级Hive与Oozie到CDH5.3.0对应版本的文档:
http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cdh_ig_hive_upgrade.html
http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cdh_ig_oozie_upgrade.html
SSH Tunnel 实践
由 mcsrainbow 发表在 Linux&Unix 分类,时间 2015/01/09
参考资料:
http://blog.creke.net/722.html
背景介绍:
目前,线上有好几个数据中心,不同数据中心之间的速度差异还是比较大的,我们一般选择一个最优的数据中心作为VPN的接入点。
但有些时候直接通过VPN访问其它数据中心的服务会很慢,于是就临时通过SSH Tunnel来解决。
应用场景:
直接访问服务器idc1-server1很快,但是直接访问idc2-server2很慢,而idc1-server1到idc2-server2却很快;
于是,我们打算用idc1-server1服务器作为跳板来连接idc2-server2。
ssh -i /path/to/sshkey -l username -f -N -T -L 8088:idc2-server2:80 idc1-server1
通过浏览器直接访问http://localhost:8088就相当于访问了http://idc2-server2
关键参数介绍:
-L 8088:idc2-server2:80
将本地的某个端口转发到远端指定机器的指定端口。工作原理是:本地机器上分配了一个socket侦听port端口,一旦这个端口上有了连接, 该连接就经过安全隧道(idc1-server1)转发出去,即 localhost:8088 -> (idc1-server1) -> idc2-server2:80;
ssh -i /path/to/sshkey -l username -f -N -T -L 2022:idc2-server2:22 idc1-server1
通过scp可以将文件通过idc1-server1中转后传送到idc2-server2中:
scp -i /path/to/sshkey -P 2022 upload_file_name.tgz dong@localhost:/path/to/upload/
Hadoop运维笔记 之 更换du命令降低datanode磁盘IO
由 mcsrainbow 发表在 Linux&Unix 分类,时间 2015/01/06
背景介绍:
近期,不少datanode节点的磁盘IO比较高,主要原因还是由于job数量的增多,以及规模的增大。
但任何可以降低磁盘IO消耗的手段,我们都可以尝试一下。
比如,我们经常可以看到hdfs用户在执行”du -sk”命令:
[root@idc1-server2 ~]# ps -ef| grep “du -sk”
hdfs 17119 10336 1 00:57 ? 00:00:04 du -sk /data1/dfs/dn/current/BP-1281416642-10.100.1.2-1407274717062 hdfs 17142 10336 1 00:57 ? 00:00:03 du -sk /data5/dfs/dn/current/BP-1281416642-10.100.1.2-1407274717062 hdfs 17151 10336 1 00:57 ? 00:00:05 du -sk /data6/dfs/dn/current/BP-1281416642-10.100.1.2-1407274717062 ...
随着datanode上的数据不断增加,这样频繁的du操作,会耗时比较长,在CPU和磁盘IO很闲的时候,每次也都会耗时5秒左右,而在服务器负载比较高的时候,这样的操作就会耗时很长时间。
于是,我们便考虑通过将原有的du命令替换,并基于df命令来编写一个新的du命令来取而代之。
[root@idc1-server2 ~]# mv /usr/bin/du /usr/bin/du.orig
[root@idc1-server2 ~]# vim /usr/bin/du
#!/bin/sh mydf=$(df -Pk $2 | grep -vE '^Filesystem|tmpfs|cdrom' | awk '{ print $3 }') echo -e "$mydf\t$2"
[root@idc1-server2 ~]# chmod +x /usr/bin/du
不过这样的话,统计出来的结果不就不准确了吗?
但具体情况具体应对,一般来说,Hadoop的datanode都会采用不同的磁盘并划分分区来存储数据,那么使用df统计出来的结果,误差应该是很小的。
近期评论(Recent Comments)
问题找到啦,非常感谢
感谢提供解决问题的思路。我的情况是因为文件有损坏,使用hotcopy 会出现“svnadmin: Can't open file '/SVN_PATH/db/revprops/24/24685'...
大神,您好。 你的博客 都是使用什么软件和主题搭建的哈?关注你的博客很久了。 也想自己搭建一个 总结 反思自己。谢谢大神...
int result = 0; for (int i = 0; i < 101; i++) { result ^= data[i]; ...
如果确认所有的表都是INNODB引擎,没有任何MyISAM表,还可以加上--no-lock参数。...
讲的不错, mark
答案无疑是本地端口转发了,它的命令格式是: ssh -L :: 原来是这个原理...