elasticsearch cluster

https://www.elastic.co/guide/en/elasticsearch/reference/current/file-descriptors.html
https://discuss.elastic.co/t/problems-with-access-to-elasticsearch-form-outside-machine/172450

修改配置elasticsearch.yml

1
network.host: 0.0.0.0

文件句柄问题就是修改/etc/security/limits.conf,下面的xuhang就是启动es的用户名

1
2
xuhang soft nofile 65536
xuhang hard nofile 65536

the default discovery settings are unsuitable for production use, 修改elasticsearch.yml

1
discovery.seed_hosts: []

powershell 概念

.net powershell

The reason for this is that PowerShell commands can read and write objects, as opposed to conventional shells that can only process strings of text. Because PowerShell runs on the .NET platform, the objects that are used are .NET objects, which makes it an ideal scripting language for .NET programs.

powershell sample

create excel(前提是ms office是安装好的)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# create new excel instance
$objExcel = New-Object -comobject Excel.Application
$objExcel.Visible = $True
$objWorkbook = $objExcel.Workbooks.Add()
$objWorksheet = $objWorkbook.Worksheets.Item(1)

# write information to the excel file
$i = 0
$first10 = (ps | sort ws -Descending | select -first 10)
$first10 | foreach -Process {$i++; $objWorksheet.Cells.Item($i,1) = $_.name; $objWorksheet.Cells.Item($i,2) = $_.ws}
$otherMem = (ps | measure ws -s).Sum - ($first10 | measure ws -s).Sum
$objWorksheet.Cells.Item(11,1) = "Others"; $objWorksheet.Cells.Item(11,2) = $otherMem

# draw the pie chart
$objCharts = $objWorksheet.ChartObjects()
$objChart = $objCharts.Add(0, 0, 500, 300)
$objChart.Chart.SetSourceData($objWorksheet.range("A1:B11"), 2)
$objChart.Chart.ChartType = 70
$objChart.Chart.ApplyDataLabels(5)

powershell module

guide

https://www.pstips.net/create-mini-module.html

打开 powershell ise

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
function Get-BIOS
{ param($ComputerName, $Credential)
Get-WmiObject -Class Win32_BIOS @PSBoundParameters
}


$name = 'Get-BIOS'


New-Item -Path $home\Documents\WindowsPowerShell\Modules\$name\$name.psm1 -ItemType File -Force -Value "function $name { $((Get-Item function:\$name).Definition) }"


打开新窗口

Get-Module -Name Get-BIOS
Get-BIOS

ping网络协议

ping 没有指定端口这个选项吧,他是网络层的,端口可是传输层的概念啊。

Ping程序使用的是ICMP协议,ICMP不像http,FTP应用层有传输层的端口号,(它们使用TCP的端口号80和20/21)。ICMP直接封装在IP包内

ansible windows setup

1

/etc/ansible/hosts如下,ansible_winrm_transport是关键,否则会报错 “msg”: “plaintext: the specified credentials were rejected by the server”,
https://www.jianshu.com/p/0ad50049adb7

[windows]
node3 ansible_user=xuhang ansible_password=xuhang ansible_connection=winrm ansible_winrm_transport=ntlm ansible_port=5985 ansible_winrm_scheme=http

2

https://www.cnblogs.com/herui1991/p/12304487.html
重点:千万不要yum安装ansible。选择pip3安装,或者二进制包安装。否则,即便安装了pywinrm插件也无法管理Windows主机。

1
pip3 install --user ansible

3

[xuhang@localhost ansible]$ ansible all -m ping
[WARNING]: No python interpreters found for host node3 (tried [‘/usr/bin/python’, ‘python3.7’, ‘python3.6’, ‘python3.5’, ‘python2.7’, ‘python2.6’, ‘/usr/libexec/platform-python’, ‘/usr/bin/python3’,
‘python’])

这个是因为远程主机是windows,他当成了linux,linux 远程主机需要安装python,至于他为什么当成linux可能是因为这个用的方式不对,不能直接测试ping,应该用下面的例子

1
2
3
4
5
6
7
8
---
# The playbook install 7zip
- hosts: windows
tasks:
- name: Ensure 7-Zip is installed via Chocolatey
win_chocolatey:
name: 7zip
state: present

wrm服务

这个服务在windows server2016是默认打开的,通过命令winrm quickconfig可以打开,提示默认打开,当然这个只是http的方式,https需要证书打开

authentication

https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#basic
Basic authentication is one of the simplest authentication options to use, but is also the most insecure. This is because the username and password are simply base64 encoded, and if a secure channel is not in use (eg, HTTPS) then it can be decoded by anyone. Basic authentication can only be used for local accounts (not domain accounts).

https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#winrm-setup
这一步把basic authentication给打开了,basic需要用户名密码,但是可能需要先执行这个powershell脚本来enable

总结下就是google和百度一起搜找问题的答案

powershell dsc get started

guide

https://docs.microsoft.com/zh-cn/powershell/scripting/dsc/configurations/write-compile-apply-configuration?view=powershell-7

hello world

注意最后一行的HelloWorld一定要加,否则编译不会生成mof文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Configuration HelloWorld {

# Import the module that contains the File resource.
Import-DscResource -ModuleName PsDesiredStateConfiguration

# The Node statement specifies which targets to compile MOF files for, when this configuration is executed.
Node 'localhost' {

# The File resource can ensure the state of files, or copy them from a source to a destination with persistent updates.
File HelloWorld {
DestinationPath = "d:\work\HelloWorld.txt"
Ensure = "Present"
Contents = "Hello World from DSC!"
}
}
}

HelloWorld

编译运行

. ./HelloWorld.ps1
Start-DscConfiguration -Path .\HelloWorld -Verbose -Wait //会发现d:\work\HelloWorld.txt

troubleshooting

powershell ise需要admin打开
wrm服务要打开

jwt introduction

https://auth0.com/blog/implementing-jwt-authentication-on-spring-boot/

https://github.com/mengxu2018/jwt

During the authentication process, when a user successfully logs in using their credentials, a JSON Web Token is returned and must be saved locally (typically in local storage). Whenever the user wants to access a protected route or resource (an endpoint), the user agent must send the JWT, usually in the Authorization header using the Bearer schema, along with the request.

JWT is commonly used for authorization,jwt与authentiation没有关系,用户还是得用户名密码或者open connect id来登录,但是后续的访问资源,可以携带之前收到的jwt token来访问,这个token这个时候就起到授权的作用,看下面的文章更详细的解释jwt的workflow

https://jwt.io/introduction/
client-credentials-grant.png

  1. The application or client requests authorization to the authorization server. This is performed through one of the different authorization flows. For example, a typical OpenID Connect compliant web application will go through the /oauth/authorize endpoint using the authorization code flow.
  2. When the authorization is granted, the authorization server returns an access token to the application.
  3. The application uses the access token to access a protected resource (like an API).
    可以看到jwt也是需要一个authorization server生成一个token,只是后续直接用token访问api就好了

https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

https://www.oauth.com/oauth2-servers/the-resource-server/

Oauth2 与 JWT 区别?
Token功能不一样,JWT的token是包含用户基本信息的,然后通过加密的方式生成的字符串,服务器端拿到这个token之后不需要再去查询用户基本信息,解析完token之后就能拿到。
想想在微服务架构下,用户服务是一个单独的服务,但是其他服务大部分情况下也会需要用户信息,难道要每次用到都去取一次吗? JWT非常适合微服务。

OAuth2用在使用第三方账号登录的情况(比如使用weibo, qq, github登录某个app)
JWT是用在前后端分离, 需要简单的对后台API进行保护时使用.(前后端分离无session, 频繁传用户密码不安全)
OAuth2是一个相对复杂的协议, 有4种授权模式, 其中的access code模式在实现时可以使用jwt生成code, 也可以不用. 它们之间没有必然的联系.

总结起来就是jwt很轻量级,https://www.cnblogs.com/grissom007/p/6294746.html,这个文章可以看下

oauth2的的资源服务器校验token
http://springcloud.cn/view/431

ansible setup

先升级到python3

参考另外的文章

安装可以下载centos版本的rpm

https://cbs.centos.org/koji/buildinfo?buildID=27713
至于依赖的其他package,可以yum来安装,如果需要管理windows机器就需要使用pip来安装ansible,否则管理windows的python模块不能识别

1
pip3 install --user ansible

ssh免登录

http://getansible.com/begin/an_zhuang_ansile

1
2
3
4
5
6
7
8
# 生成ssh key
ssh-keygen

# 拷贝ssh key到远程主机,ssh的时候就不需要输入密码了
ssh-copy-id remoteuser@remoteserver

# ssh的时候不会提示是否保存key
$ssh-keyscan remote_servers >> ~/.ssh/known_hosts

配置root->root, ccms->ccms免登录

ad-hoc commands

https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html

下面的命令都可以直接在root执行或者ccms执行
ansible all -m copy -a “src=/tmp/xu dest=/tmp/xu2”
ansible all -m ping
ansible all -a “/sbin/reboot”

如果在root用户下面执行下面的会报错,需要实现root到对方ccms的免登录
这个只要执行上面的第二步ssh-copy-id ccms@remoteserver就可以了,因为1,3步在同用户名之间的免登录已经执行过了
ansible all -m ping -u ccms

sudo issue (TODO)

在对方机器执行sudo需要把用户ccms加入到wheel组里面

1
usermod -aG wheel user

sudo是ccms的密码,但是需要加入到wheel组里面

1
ansible all -m copy -a "src=/tmp/xu dest=/etc/xu3" -u ccms  --ask-become-pass

但是下面的重启会报错

1
ansible all -a "/sbin/reboot" -u ccms --ask-become-pass 会报错

playbook

1
2
3
4
5
6
7
8
---
-
hosts: all
name: "install httpd"
tasks:
-
name: "install httpd*"
yum: "name=httpd state=latest"

上面是一个可以work的例子,安装一个httpd,最顶部的三个dash代表文档的开始,其他的dash可以单独一行也可以不单独一行

ansible tower

https://computingforgeeks.com/install-and-configure-ansible-tower-on-centos-rhel/
/bin/ansible-tower-service {start|stop|restart|status}

yaml

关于yaml中dash的解释,https://www.reddit.com/r/ansible/comments/5jhff3/when_to_use_dash_in_yaml/

1
2
3
4
5
6
tasks:
- name: date/time stamp
command: /usr/bin/date
register: timestamp_start
- debug: var=timestamp_start
- name: another task

dash表示一个list的开始,如果转换成json你可以看的很清楚有没有dash的差异
https://onlineyamltools.com/convert-yaml-to-json