1.设置所有虚拟机的IP为手动,与自动获取的IP地址一致;
2.修改所有主机名称为”表3-服务器IP地址分配表”中的完全合格域名;
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
dns A 10.10.70.111
idm A 10.10.70.112
app A 10.10.70.113
lin A 10.10.70.114
str A 10.10.70.115
node1 A 10.10.70.116
node2 A 10.10.70.117
www3 A 10.10.70.90
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
111 PTR dns.skills.com.
112 PTR idm.skills.com.
113 PTR app.skills.com.
114 PTR lin.skills.com.
115 PTR str.skills.com.
116 PTR node1.skills.com.
117 PTR node2.skills.com.
90 PTR www3.skills.com.
3.设置所有Linux服务器的时区设为“上海”;
timedatectl set-timezone Asia/Shanghai4.所有Linux的root用户使用完全合格域名免密码ssh登录到其他Linux主机;
#在本地机器上使用ssh-keygen产生公钥私钥对
ssh-keygen
#循环获取IP的免登录
for((i=1;i<8;i++))do ssh-copy-id 10.10.70.11$i; done
for((i=1;i<8;i++))do scp -r /root/.ssh/* 10.10.70.11$i:/root/.ssh/ ;done5.启动所有Linux服务器的防火墙,并在后续的配置中放行相关服务;
6.上传PC中的D:/soft文件夹下的centos8.3的镜像到Linux-1,挂载到/var/www/html/centos并配置为网络yum源服务器,本机和其他所有Linux提供软件包网络安装,并配置完成yum源后请删除无用的配置文件;
#创建centos文件夹
mkdir /var/www/html/centos
#挂载到该目录
mount /root/CentOS-8.3.2011-x86_64-dvd1.iso /var/www/html/centos/
#安装httpd
yum install httpd -y
#开启防火墙
firewall-cmd --add-service=http
#配置yum
#/etc/yum.repos.d/CentOS-Linux-Media.repo
# CentOS-Linux-Media.repo
#
# You can use this repo to install items directly off the installation media.
# Verify your mount point matches one of the below file:// paths.
[media-baseos]
name=CentOS Linux $releasever - Media - BaseOS
baseurl=http://10.10.70.111/centos/BaseOS
gpgcheck=0
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
[media-appstream]
name=CentOS Linux $releasever - Media - AppStream
baseurl=http://10.10.70.111/centos/AppStream
gpgcheck=0
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
#复制文件
for ((i=112;i<118;i++)) do ssh 10.10.70.$i rm -rf /etc/yum.repos.d/ ; done
for ((i=112;i<118;i++)) do ssh 10.10.70.$i mkdir /etc/yum.repos.d/ ; done
for ((i=112;i<118;i++)) do scp CentOS-Linux-Media.repo 10.10.70.$i:/etc/yum.repos.d/ ; done
#一键安装vim 和 bash-completion
for ((i=112;i<118;i++)) do ssh 10.10.70.$i yum install vim bash-completion -y; done7.利用chrony配置Linux-1为时间服务器,为其他Linux主机提供时间同步服务。
/etc/chrony.conf
#linux-1配置文件
server 127.0.0.1 iburst
allow 10.10.70.0/24
local stratum 10
#其他Linux配置
server 10.10.70.111 iburst
#一键复制到其他服务器
for ((i=113;i<118;i++)) do scp /etc/chrony.conf 10.10.70.$i:/etc/chrony.conf ; done
#重启服务
for ((i=113;i<118;i++)) do ssh 10.10.70.$i systemctl restart chronyd ; done2、DNS 服务和 CA 服务配置:
【任务描述】 创建 DNS 服务器,实现企业域名访问。
1.利用 bind 软件,配置 Linux-1 为 DNS 服务器,为所有 Linux 主机提供 DNS
正反向解析服务;采用 rndc 技术提供不间断的 DNS 服务;
rndc -s 127.0.0.1 status
WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
version: BIND 9.11.20-RedHat-9.11.20-5.el8 (Extended Support Version) <id:f3d1d66>
running on dns.skills.com: Linux x86_64 4.18.0-240.el8.x86_64 #1 SMP Fri Sep 25 19:48:47 UTC 2020
boot time: Tue, 28 Sep 2021 19:43:54 GMT
last configured: Tue, 28 Sep 2021 19:43:54 GMT
configuration file: /etc/named.conf
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 105 (97 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 4/150
TCP high-water: 4
server is up and running2.配置 Linux-1 为 CA 服务器,为所有 Linux 主机颁发证书。证书通用名称
均为主机完全合格域名,CA 证书通用名称为“Linux-CA”有效期为 10 年,CA
颁发的证书默认有效期为 3 年,证书其他信息:
(1)国家=“CN”
(2)省=“henan”(3)市/县=“luoyang”
(4)组织=“sayms”
(5)组织单位=“com”
mkdir -p /etc/pki/CA/{certs,crl,newcerts,private} #创建文件夹
#在private 文件夹下创建一个私钥 cakey.pem
openssl genrsa -out cakey.pem 4096
#在CA 文件夹下创建 ca根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 #天数 一年是365 这里写的是十年
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:luoyang
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:com
Common Name (eg, your name or your server's hostname) []:Linux-CA
Email Address []:
#在CA 文件夹下创建 数据库索引文件 和 当前序列号
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial3、认证服务和邮件服务配置:
【任务描述】 构建一个企业级身份认证和邮件服务器,请采用 postfix 和
dovecot,实现更快、更容易管理、更安全的邮件服务。
yum install ypserv.x86_64 -y
#设置nis域名
ypdomainname idm.skills.com
echo NISDOMAIN=idm.skills.com >> /etc/sysconfig/network
#开放所有权限
/etc/ypserv.conf
* : * : * : none
#一键创建用户
for((i=1;i<6;i++))do useradd user$i;done
#初始化数据库
/usr/lib64/yp/ypinit -m
#设置端口
/etc/sysconfig/network
YPSERV_ARGS="-p 944"
#重启服务
systemctl restart ypserv.service
#开放防火墙
firewall-cmd --add-port=944/tcp
firewall-cmd --add-port=944/udp
firewall-cmd --add-port=945/tcp
firewall-cmd --add-port=945/udp1.配置 Linux-2 为 NIS 服务器,ypserv 服务监听端口为 940;新建 nisuser1
到 nisuser5 共 5 个用户,用户目录分别为/home/nisuser1 到/home/nisuser5;
#安装服务
yum install ypserv.x86_64 -y
#设置nis域名
ypdomainname idm.skills.com
echo NISDOMAIN=idm.skills.com >> /etc/sysconfig/network
#开放所有权限
/etc/ypserv.conf
* : * : * : none
#一键创建用户
for((i=1;i<6;i++))do useradd user$i;done
#初始化数据库
/usr/lib64/yp/ypinit -m
#设置端口
/etc/sysconfig/network
YPSERV_ARGS="-p 944"
#重启服务
systemctl restart ypserv.service
#开放防火墙
firewall-cmd --add-port=944/tcp
firewall-cmd --add-port=944/udp
firewall-cmd --add-port=945/tcp
firewall-cmd --add-port=945/udp2.为 Linux-2 的普通用户家目录配置 nfs 文件共享,方便 NIS 客户端用户登
录时自动挂载家目录;
#安装nfs服务
yum install nfs-utils -y
#配置
vim /etc/exports
/home *(rw)
#重启
systemctl restart nfs-server
#开放防火墙
firewall-cmd --add-service=nfs
firewall-cmd --add-service=mountd
firewall-cmd --add-service=rpc-bind3.配置 Linux-3 和 Linux-4 为 NIS 客户端,配置登陆时自动挂载 Linux-2
上的 nisuser1 和 nisuser2 用户目录到/home;
#安装nfs nis以及自动挂载服务
yum install ypbind authselect-compat.x86_64 nfs-utils autofs.x86_64 -y
#配置并且启动
authconfig --enablenis --nisserver="idm.skills.com" --nisdomain="idm.skills.com" --update
#yptest进行测试
#自动挂载 修改该文件
/etc/auto.master
/home /etc/home.misc
cp /etc/auto.misc /etc/home.misc
#修改home.misc
* -rw idm.skills.com:/home/&
#重启autofs
systemctl restart autofs.service4.配置 Linux-2 为 KDC 服务器为 Linux-3 和 Linux-4 的 nfs 提供数据安全保
障;
5.配置 Linux-2 为 Mail 服务器,安装 postfix 和 dovecot;
6.仅支持 smtps 和 pop3s 连接,证书路径为/etc/pki/mail.crt,私钥路径
为/etc/pki/mail.key;
7.创建用户 mail13 和 mail23,向 all@sayms.com 发送邮件,保证每个用户
都会收到
NFS服务配置
【任务描述】 为实现Linux主机之间资源共享,加强企业Linux账户的集中管理,请采用NFS实现该需求。
1.配置Linux-3为NFS服务器,在Linux-3和Linux-4创建用户nfs-client,uid为1100,目录/nfs/ser1的共享要求为:lin.skills.com具有读写权限,所有用户映射为nfs-client;kdc加密方式为krb5p。目录/nfs/ser2的共享要求为:所有人都可以读写,都不改变身份;
#创建用户
useradd nfs-client -u 1100
#创建文件夹
mkdir /mnt/{ser1,ser2} -p
#修改配置文件
vim /etc/exports
/mnt/ser1 lin.skills.com(rw,anonuid=1100,anongid=1100,sec=krb5p)
/mnt/ser2 *(rw,no_root_squash)
#重启服务并且查看
systemctl restart nfs-server.service
#开启防火墙
firewall-cmd --add-service=nfs2.配置Linux-4为NFS客户端,新建/mnt/ser1和/mnt/ser2目录,分别挂载Linux-3上的/srv/ser1和/srv/ser2,并实现自动挂载;
#创建文件夹
mkdir /srv/{ser1,ser2} -p
mount app.skills.com:/mnt/ser1 /srv/ser1
mount app.skills.com:/mnt/ser2 /srv/ser2
#自动挂载 配置fstab
vim /etc/fstab
app.skills.com:/mnt/ser1 /srv/ser1 nfs4 defaults 0 0
app.skills.com:/mnt/ser2 /srv/ser2 nfs4 defaults 0 03.为了实现Linux-3和Linux-4的高速传输,利用这两台主机的第二和第三块网卡配置网卡team,链路名称为TeamGroup,模式为轮询(roundrobin)。网络配置设为手动,两个TeamGroup的ip为第一块网卡的IP地址。删除无用的网卡链接(connection)配置。
LNMT服务配置
【任务描述】 根据企业需要搭建Linux动态网站,采用mariadb、tomcat、nginx实现该需求。
1.配置Linux-5为数据库服务器,请安装mariadb数据库,设置数据库root密码为admin。创建数据库用户dbadmin,在任意机器上对所有数据库有完全权限;禁止root远程登陆;
#安装数据库服务端
yum install mariadb-server -y
#firewalld
firewall-cmd --add-service=mysql
#启动mariadb
systemctl restart mariadb.service
#配置mariadb
mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y #设置root密码
New password: #admin
Re-enter new password: #admin
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y #只允许root从本地登录
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
#创建dbadmin用户
MariaDB [(none)]> create user dbadmin;
Query OK, 0 rows affected (0.000 sec)
#设置权限
MariaDB [(none)]> grant all on *.* to dbadmin identified by "dcncloud";
Query OK, 0 rows affected (0.000 sec)2.配置Linux-4为数据库客户端,请自行安装相关客户端工具,之后所有数据库操作都在Linux-4执行,创建数据库userdb,使用utf8字符集编码;在库中创建表user_auth,在表中插入2条记录,分别为(1,user1,1995-7-1,男),(2,user2,1995-9-1,女),口令与用户名相同,password字段用password函数加密,表结构如下:
#安装mariadb客户端
yum install mariadb -y
#登录mariadb
mysql -udbadmin -pdcncloud -h str.skills.com
#创建数据库userdb
create database userdb character set utf8;
#创建user_auth表 (设置主键本就非空)
create table user_auth( id int primary key, name varchar(255) not null, birthday datetime, sex char(5), password char(200));
Query OK, 0 rows affected (0.068 sec)
#查看表
desc user_auth;
+----------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+-------+
| id | int(11) | NO | PRI | NULL | |
| name | varchar(255) | NO | | NULL | |
| birthday | datetime | YES | | NULL | |
| sex | char(5) | YES | | NULL | |
| password | char(200) | YES | | NULL | |
+----------+--------------+------+-----+---------+-------+
5 rows in set (0.001 sec)
#插入数据
insert into user_auth values (1,"user1","1995-07-01","男",password("user1"));
Query OK, 1 row affected (0.022 sec)
insert into user_auth values (2,"user2","1995-09-01","女",password("user2"));
Query OK, 1 row affected (0.001 sec)
#查询数据结果
select * from user_auth;
+----+------+---------------------+------+-------------------------------------------+
| id | name | birthday | sex | password |
+----+------+---------------------+------+-------------------------------------------+
| 1 | user1 | 1995-07-01 00:00:00 | 男 | *227EEECD48CB283731B18E6EDFA5B64F4B4C316E |
| 2 | user2 | 1995-09-01 00:00:00 | 女 | *1D8E1ECB9E61CD02DBADCD5A4371D9C9F72FACF4 |
+----+------+---------------------+------+-------------------------------------------+
2 rows in set (0.000 sec)3.修改表userinfo的结构,在name字段后添加新字段height(数据类型为float);
alter table user_auth add height float after name;
Query OK, 0 rows affected (0.293 sec)
Records: 0 Duplicates: 0 Warnings: 0
desc user_auth;
+----------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+-------+
| id | int(11) | NO | PRI | NULL | |
| name | varchar(255) | NO | | NULL | |
| height | float | YES | | NULL | |
| birthday | datetime | YES | | NULL | |
| sex | char(5) | YES | | NULL | |
| password | char(200) | YES | | NULL | |
+----------+--------------+------+-----+---------+-------+
6 rows in set (0.001 sec)4.更新user1和user2的height字段内容为1.71和1.69;
#更新数据
update user_auth set height=1.71 where id =1;
Query OK, 1 row affected (0.068 sec)
Rows matched: 1 Changed: 1 Warnings: 0
update user_auth set height=1.69 where id =2;
Query OK, 1 row affected (0.019 sec)
Rows matched: 1 Changed: 1 Warnings: 0
#查询结果
select * from user_auth;
+----+------+--------+---------------------+------+-------------------------------------------+
| id | name | height | birthday | sex | password |
+----+------+--------+---------------------+------+-------------------------------------------+
| 1 | user1 | 1.71 | 1995-07-01 00:00:00 | 男 | *227EEECD48CB283731B18E6EDFA5B64F4B4C316E |
| 2 | user2 | 1.69 | 1995-09-01 00:00:00 | 女 | *1D8E1ECB9E61CD02DBADCD5A4371D9C9F72FACF4 |
+----+------+--------+---------------------+------+-------------------------------------------+
2 rows in set (0.000 sec)5.请将表userinfo中的记录导出,并存放到/root/mysql.sql文件中;
mysql -udbadmin -pdcncloud -h str.skills.com userdb -N -e "select * from user_auth" > /root/mysql.sql6.在Linux-5设置数据库自动备份,每周五凌晨1:00备份库userdb到/root/userdb.sql;
mysqldump -udbadmin -pdcncloud userdb -h str.skills.com > /root/userdb.sql
#配置计划任务服务
crontab -e
crontab -l
0 1 * * 5 mysqldump -udbadmin -pdcncloud userdb > /root/userdb.sql7.配置Linux-3为Tomcat服务器用来运行动态网站,java环境请安装最新版openjdk,tomcat使用PC的soft文件夹中的安装包,安装目录为/usr/local/tomcat,新建/usr/lib/systemd/system/tomcat.service文件注册服务,并加入开机自启动项,网站默认首页内容为“河南网络搭建”,使用默认8443端口加密访问;证书路径为/usr/local/tomcat/conf/tc.pfx,格式为pfx;
8.配置Linux-4为nginx服务器,安装nginx,网站根目录为默认值;仅允许使用域名访问,http访问自动跳转到https,站点配置文件为/etc/nginx/conf.d/proxy-ssl.conf证书路径为/etc/pki/nginx/nginx.crt,私钥路径为/etc/pki/nginx/private/nginx.key,有效期10年;
高可靠性配置
【任务描述】 为准确地表达的集群资源之间的关系,请采用pacemarker,实现Web服务的高可用。
1.为Linux-5添加3块云硬盘,每块硬盘大小为5G,组成Raid5,设备名称为/dev/md/md5,保证服务器开机,Raid能正常工作。使用Raid全部空间配置为iSCSI目标服务器,为Linux-6和Linux-7提供iSCSI服务。iSCSI目标端的wwn为iqn.2021-10.com.skills:server,iSCSI发起端的wwn为iqn.2021-10.com.skills:client;
2.配置Linux-6和Linux7为iSCSI客户端,利用多路径实现负载均衡,路径别名为mp。利用mp创建卷组和逻辑卷,名称分别为vgpool和lvmweb,使用ext4进行格式化,同时请配置Linux-5的lvm扫描器禁止Linux-5识别到lvmweb从而避免iscsi服务宕机;
3.配置Linux-6和Linux-7为集群服务器,通过D:\soft\HighAvailability.tar.gz安装pcs,集群名称为my_cluster,集群资源组为apachegroup,Linux-7为备服务器。提供Apache服务,域名为www3.skills.com,网站目录/var/www/html,网站主页index.html的内容为“Linux集群网站”。IP资源名称为vip,虚拟IP为10.10.70.90;站点文件系统资源名称为website,使用lvmweb,由集群自动挂载到/var/www;同时监视资源名称为webstatus,配置文件为/etc/httpd/conf/httpd.conf。
虚拟化配置
【任务描述】随着虚拟化技术的发展,诞生了最出名的容器技术docker,企业准备把生产环境迁移到docker请完成以下项目。
