1、 实现基于MYSQL验证的vsftpd虚拟用户访问
配置mysql服务
mysql> create database vsftpd; Query OK, 1 row affected (0.17 sec) mysql> use vsftpd; Database changed mysql> create table users ( -> id INT AUTO_INCREMENT NOT NULL PRIMARY KEY, -> name CHAR(50) BINARY NOT NULL, -> password CHAR(48) BINARY NOT NULL -> ); Query OK, 0 rows affected, 2 warnings (0.57 sec) mysql> insert into users(name,password) values('ftp_peng','zheng123'); Query OK, 1 row affected (0.01 sec) MariaDB [vsftpd]> select * from users; +----+-----------+-------------------------------------------+ | id | name | password | +----+-----------+-------------------------------------------+ | 1 | ftp_zheng | *1E173D19E44764A7D9EFAFF21FCAF6FBC495EA50 | | 2 | ftp_peng | *1E173D19E44764A7D9EFAFF21FCAF6FBC495EA50 | | 3 | luckly | *1E173D19E44764A7D9EFAFF21FCAF6FBC495EA50 | | 4 | test | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | | 5 | test2 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | +----+-----------+-------------------------------------------+ GRANT SELECT ON vsftpd.* TO vsftpd@'192.168.33.%' IDENTIFIED BY 'zheng@123';
安装vsftpd,编译安装pam_mysq
[16:43:12 root@ftp-server ~]#yum install vsftpd
[16:44:12 root@ftp-server ~]yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel
[16:45:12 root@ftp-server ~]wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
[16:43:12 root@ftp-server ~]#cd pam_mysql-0.7RC1
[17:05:49 root@ftp-server pam_mysql-0.7RC1]#./configure --with-pam-mods-dir=/lib64/security
[17:11:55 root@ftp-server pam_mysql-0.7RC1]#make
[17:12:01 root@ftp-server pam_mysql-0.7RC1]#make install
[17:12:08 root@ftp-server pam_mysql-0.7RC1]#ll /lib64/security/pam_mysql*
-rwxr-xr-x 1 root root 882 Jan 8 17:12 /lib64/security/pam_mysql.la
-rwxr-xr-x 1 root root 141768 Jan 8 17:12 /lib64/security/pam_mysql.so
[17:15:11 root@ftp-server ~]#cat /etc/pam.d/vsftpd.mysql
auth required pam_mysql.so user=vsftpd passwd=zheng@123 host=mysqlserver db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=zheng@123 host=mysqlserver db=vsftpd table=users usercolumn=name passwdcolumn=password crypt
[17:15:21 root@ftp-server ~]#useradd -s /sbin/nologin -d /data/ftproot -r vuser
[17:17:23 root@ftp-server ~]#mkdir -pv /data/ftproot/upload
mkdir: created directory ‘/data’
mkdir: created directory ‘/data/ftproot’
mkdir: created directory ‘/data/ftproot/upload’
[17:18:07 root@ftp-server ~]#setfacl -m u:vuser:rwx /data/ftproot/upload/
[17:18:32 root@ftp-server ~]#vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
#添加下面两项
guest_enable=YES
guest_username=vuser
[17:22:27 root@ftp-server ~]#systemctl enable --now vsftpd
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service
测试
[23:27:21 root@lucklyzpp8 ~]#ftp 192.168.33.7
Connected to 192.168.33.7 (192.168.33.7).
220 (vsFTPd 3.0.2)
Name (192.168.33.7:root): ftp_zheng
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
[23:27:41 root@lucklyzpp8 ~]#ftp 192.168.33.7
Connected to 192.168.33.7 (192.168.33.7).
220 (vsFTPd 3.0.2)
Name (192.168.33.7:root): ftp_peng
331 Please specify the password.
Password:
230 Login successful.
2、 配置samba共享,实现/www目录共享
服务端配置
[19:07:01 root@lucklyzpp2 ~]#yum install samba -y
[20:10:33 root@lucklyzpp2 ~]#groupadd -r apache
groupadd: group 'apache' already exists
[20:10:49 root@lucklyzpp2 ~]#useradd -s /sbin/nologin -G apache test1
[20:11:37 root@lucklyzpp2 ~]#smbpasswd -a test1
New SMB password:
Retype new SMB password:
Added user test1.
[20:11:53 root@lucklyzpp2 ~]#useradd -s /sbin/nologin test2
[20:12:20 root@lucklyzpp2 ~]#smbpasswd -a test2
New SMB password:
Retype new SMB password:
Added user test2.
[20:12:41 root@lucklyzpp2 ~]#chgrp apache /var/www
[20:13:07 root@lucklyzpp2 ~]#chmod 2775 /var/www
[20:19:51 root@lucklyzpp2 ~]#vim /etc/samba/smb.conf
[share]
path = /var/www
write list = @apache
[20:21:54 root@lucklyzpp2 ~]#systemctl restart smb nmb
客服端
[19:07:03 root@lucklyzpp2 ~]#yum install cifs-utils -y
[20:08:38 root@lucklyzpp2 ~]#mkdir /mnt/www
[20:22:37 root@lucklyzpp2 ~]#mount -o username=test1 //192.168.33.7/share /mnt/www
Password for test1@//192.168.33.7/share: *********
[20:23:22 root@lucklyzpp2 ~]#ls /mnt/www/
cgi-bin/ html/
[20:23:22 root@lucklyzpp2 ~]#ls /mnt/www/
cgi-bin html
[20:23:41 root@lucklyzpp2 ~]#cd /mnt/www/
[20:23:47 root@lucklyzpp2 www]#touch a.txt
[20:23:53 root@lucklyzpp2 www]#ls
a.txt cgi-bin html
3、使用rsync+inotify实现/www目录实时同步
服务器端配置
[21:34:24 root@lucklyzpp2 ~]#yum install inotify-tools
[21:37:33 root@lucklyzpp2 ~]#yum install rsync -y
[21:38:35 root@server ~]#vim /etc/rsyncd.conf
[22:18:20 root@server ~]#cat /etc/rsyncd.conf
# /etc/rsyncd: configuration file for rsync daemon mode
uid = root
gid = root
max connections = 0
exclude = lost+found/
ignore errors
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsyncd.lock
reverse lookup = no
[www]
path = /data/www
comment = www dir
read only = no
auth users = rsuser
secrets file = /etc/rsyncd.pas
# [ftp]
# path = /home/ftp
# comment = ftp export area
[22:18:27 root@server ~]#mdkir /data/www
-bash: mdkir: command not found
[22:18:48 root@server ~]#mkdir /data/www
mkdir: cannot create directory ‘/data/www’: File exists
[22:18:54 root@server ~]#mkdir -pv /data/www
[22:19:06 root@server ~]#touch /data/www/kk.txt
[22:19:21 root@server ~]#cat /etc/rsyncd.pas
rsuser:luckly001
[22:20:04 root@server ~]#chmod 600 /etc/rsyncd.pas
[22:20:19 root@server ~]#rsync --daemon
客服端
[22:20:00 root@client ~]#yum install inotify-tools
[22:20:27 root@client ~]#yum install rsync -y
[22:21:27 root@client ~]#cat /etc/rsyncd.pas
luckly001
[22:21:35 root@client ~]#chmod 600 /etc/rsyncd.pas
[22:21:47 root@client ~]#rsync rsync://192.168.33.17
www www dir
[22:24:57 root@client ~]#rsync -avz --delete --password-file=/etc/rsyncd.pas /data/www/ rsuser@192.168.33.17::/data/www
3、 LVS调度算法总结
Lvs-nat:本质是多目标IP的DNAT,通过将请求报文中的目标地址和目标端口修改为某挑出的RS的RIP和PORT实现转发
(1)RIP和DIP应在同一个IP网络,且应使用私网地址;RS的网关要指向DIP
(2)请求报文和响应报文都必须经由Director转发,Director易于成为系统瓶颈
(3)支持端口映射,可修改请求报文的目标PORT
(4)VS必须是Linux系统,RS可以是任意OS系统
LVS-DR:Direct Routing,直接路由,LVS默认模式,应用最广泛,通过为请求报文重新封装一个MAC首部进行转发,源MAC是DIP所在的接口的MAC,目标MAC是某挑选出的RS的RIP所在接口的MAC地址;源IP/PORT,以及目标IP/PORT均保持不变。
DR模式的特点:
1. Director和各RS都配置有VIP
2. 确保前端路由器将目标IP为VIP的请求报文发往Director
3. RS的RIP可以使用私网地址,也可以是公网地址;RIP与DIP在同一IP网络;RIP的网关不能指向DIP,以确保响应报文不会经由Director
4. RS和Director要在同一个物理网络
5. 请求报文要经由Director,但响应报文不经由Director,而由RS直接发往Client
6. 不支持端口映射(端口不能修改)
7. 无需开启 ip_forward
8. RS可使用大多数OS系统
LVS的TUN模式
转发方式:不修改请求报文的IP首部(源IP为CIP,目标IP为VIP),而在原IP报文之外再封装一个IP首部(源IP是DIP,目标IP是RIP),将报文发往挑选出的目标RS;RS直接响应给客户端(源IP是VIP,目标IP是CIP)
TUN模式特点:1. RIP和DIP可以不处于同一物理网络中,RS的网关一般不能指向DIP,且RIP可以和公网通信。也就是说集群节点可以跨互联网实现。DIP, VIP, RIP可以是公网地址2. RealServer的tun接口上需要配置VIP地址,以便接收director转发过来的数据包,以及作为响应的报文源IP3. Director转发给RealServer时需要借助隧道,隧道外层的IP头部的源IP是DIP,目标IP是RIP,而RealServer响应给客户端的IP头部是根据隧道内层的IP头分析得到的,源IP是VIP,目标IP是CIP4. 请求报文要经由Director,但响应不经由Director,响应由RealServer自己完成5. 不支持端口映射6. RS的OS须支持隧道功能
(1)IPVS调度器实现了如下十种负载调度算法
固定调度算法:rr,wrr,dh,sh
动态调度算法:wlc,lc,lblc,lblcr,SED,NQ.
最常用的三种:RR WRR WLC
(2)固定调度算法
a、rr:轮询调度(Round Robin)
将请求依次分配不同的RS节点,RS服务器均摊请求,这种算法比较简单,但是只适合RS节点相差性能不大的情况
b、wrr:加权轮询调度(Weighted Round Robin)
它将依据不同RS节点的权值分配任务,权值高的RS将优先获得任务,并且分配的连接数比权值低的RS节点更多。相同权值的RS得到相同数目的连接数
c、dh:目标地址散列(destination hashing)
以目的地址为关键字查找一个静态hash表来获取需要的RS
d、sh:源地址散列(source hashing)
以源地址为关键字查找一个静态hash表来获取需要的RS
(3)动态调度算法:
a、wlc:加权最小连接数调度(weighted least-connection)
假设各台RS的权值依次为Wi(i=1...n) 。当前的tcp连接数依次为Ti(i=1..n),依次取TI/WI为最小的RS作为下一个分配的RS
b、LC:最少链接(Least Connections)
调度器通过"最少连接"调度算法动态地将网络请求调度到已建立的链接数最少的服务器上。如果集群系统的真实服务器具有相近的系统性能,采用"最小连接"调度算法可以较好地均衡负载。
c、LBLC:基于局部性的最少链接(Locality-Based Least Connections)
"基于局部性的最少链接" 调度算法是针对目标IP地址的负载均衡,目前主要用于Cache集群系统。该算法根据请求的目标IP地址找出该目标IP地址最近使用的服务器,若该服务器是可用的且没有超载,将请求发送到该服务器;若服务器不存在,或者该服务器超载且有服务器处于一半的工作负载,则用"最少链接"的原则选出一个可用的服务器,将请求发送到该服务器。
d、LBLCR:带复制的基于局部性最少链接(Locality-Based Least Connections with Replication)
"带复制的基于局部性最少链接"调度算法也是针对目标IP地址的负载均衡,目前主要用于Cache集群系统。
e、SED:最短期望延迟(Shortest Expected Delay)
基于wlc算法,简单算法:(active+1)*256/weight 【(活动的连接数+1)*256/除以权重】
f、NQ:永不排队(never queue)
无需队列(改进的sed),如果有台realserver的连接数=0就直接分配过去,不需要在进行sed运算。
5、LVS的跨网络DR实现
环境:五台主机一台:
客户端 10.0.0.7/24 GW:10.0.0.1
一台:ROUTER
ens33 :NAT 192.168.33.17/24
ens160:仅主机模式 10.0.0.8/24
启用 IP_FORWARD
两台RS:
RS1:192.168.33.27/24 GW:192.168.33.17
RS2:192.168.33.37/24 GW:192.168.33.17
一台:LVS
ens33: 192.168.33.47/24 GW:192.168.33.17
Client配置
22:55:05 root@client ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
NAME="ens33"
UUID="e6c0cbe8-e996-4cb6-a0db-f7e3facb5585"
DEVICE="ens33"
ONBOOT="yes"
IPADDR="10.0.0.7"
PREFIX="24"
GATEWAY="10.0.0.8"
DNS1=8.8.8.8
DNS2=114.114.114.114
IPV6_PRIVACY="no"
Router配置两个网卡接口
[22:30:17 root@router-17-8 ~]#ip add 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:5b:9b:55 brd ff:ff:ff:ff:ff:ff inet 192.168.33.17/24 brd 192.168.33.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::110d:df2c:acc0:62ff/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:5b:9b:5f brd ff:ff:ff:ff:ff:ff inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe5b:9b5f/64 scope link valid_lft forever preferred_lft forever [22:51:34 root@router-17-8 ~]#route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.1 0.0.0.0 UG 101 0 0 ens160 0.0.0.0 192.168.33.1 0.0.0.0 UG 102 0 0 ens33 10.0.0.0 0.0.0.0 255.255.255.0 U 101 0 0 ens160 192.168.33.0 0.0.0.0 255.255.255.0 U 102 0 0 ens33 [23:03:00 root@router-17-8 ~]#cat /etc/sysctl.conf | grep -v "#" net.ipv4.ip_forward=1 [23:03:08 root@router-17-8 ~]#sysctl -p net.ipv4.ip_forward = 1
配置RS1
[22:44:29 root@lucklyzpp2 ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="none" DEFROUTE="yes" NAME="ens33" UUID="0f62e59f-efdb-401e-bec2-6e0986e0f861" DEVICE="ens33" ONBOOT="yes" IPADDR="192.168.33.27" PREFIX="24" GATEWAY="192.168.33.17" DNS1=8.8.8.8 DNS2=114.114.114.114 IPV6_PRIVACY="no [23:04:43 root@lucklyzpp2 ~]#cat /proc/sys/net/ipv4/conf/all/arp_ignore 1 [23:05:31 root@lucklyzpp2 ~]#cat /proc/sys/net/ipv4/conf/all/arp_announce 2 [23:05:40 root@lucklyzpp2 ~]#cat /proc/sys/net/ipv4/conf/lo/arp_ignore 1 [23:05:59 root@lucklyzpp2 ~]#cat /proc/sys/net/ipv4/conf/lo/arp_announce 2 [23:06:07 root@lucklyzpp2 ~]#ifcofnig lo:1 192.168.33.100/32 23:06:57 root@lucklyzpp2 ~]#ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet 192.168.33.100/0 scope global lo:1 valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:73:1e:28 brd ff:ff:ff:ff:ff:ff inet 192.168.33.27/24 brd 192.168.33.255 scope global noprefixroute ens33
配置RS2
[23:06:44 root@rs2 ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="none" DEFROUTE="yes" NAME="ens33" UUID="d90a834c-3a92-4050-b6db-23a83948fe26" DEVICE="ens33" ONBOOT="yes" IPADDR="192.168.33.37" PREFIX="24" GATEWAY="10.0.0.8" DNS1=8.8.8.8 DNS2=114.114.114.114 IPV6_PRIVACY="no" [23:07:57 root@rs2 ~]#echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore [23:08:01 root@rs2 ~]#cat /proc/sys/net/ipv4/conf/all/arp_ignore 1 [23:08:18 root@rs2 ~]#echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce [23:08:24 root@rs2 ~]#echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore [23:08:47 root@rs2 ~]#echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce [23:08:58 root@rs2 ~]#ifcofnig lo:1 192.168.33.100/32
配置LVS
[23:13:14 root@lvs ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="none" DEFROUTE="yes" NAME="ens33" UUID="b96a8fc0-91c2-4fb3-b564-bce6012e9f51" DEVICE="ens33" ONBOOT="yes" IPADDR="192.168.33.47" PREFIX="24" GATEWAY="10.0.0.8" DNS1=8.8.8.8 DNS2=114.114.114.114 IPV6_PRIVACY="no [22:13:12 root@lvs ~]#yum -y install ipvsadm [22:49:27 root@lvs ~]#ipvsadm -A -t 192.168.33.100:80 -s wrr [22:50:08 root@lvs ~]#ipvsadm -a -t 192.168.33.100:80 -r 192.168.33.27 -g -w 3 [22:51:09 root@lvs ~]#ipvsadm -a -t 192.168.33.100:80 -r 192.168.33.37 -g [23:12:06 root@lvs ~]#ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.33.100:80 wrr -> 192.168.33.27:80 Route 3 0 0 -> 192.168.33.37:80 Route 1 0 0
测试访问
[23:14:09 root@client ~]#curl 192.168.33.100 192.168.33.37 [23:14:10 root@client ~]#curl 192.168.33.100 192.168.33.27