Nextcloud iplc MongoDB特价

本博客代码下载地址:
SpringBoot2.6+SpringSecurity+
0、准备工作
创建SpringBoot中项目:
Maven依赖:

org.projectlombok
lombok
1.18.22


org.springframework.boot
spring-boot-starter-web


org.springframework.boot
spring-boot-starter-test
test


org.springframework.security
spring-security-test
test


org.springframework.boot
spring-boot-starter-security


io.jsonwebtoken
jjwt-api
0.11.2


io.jsonwebtoken
jjwt-impl
0.11.2
runtime


io.jsonwebtoken
jjwt-jackson
0.11.2
runtime

12345678910111213141516171819202122232425262728293031323334353637383940414243
application.yml
jwt:
# 为JWT基础iplc加密和解密的密钥,长度需要大于等于43
# 在实际生产中通常不直接写在配置文件里面。而是通过应用的启动参数传递,并且需要定期修改
secret: oQZSeguYloAPAmKwvKqqnifiQatxMEPNOvtwPsCLasd
# JWTMongoDB的有效时间,单位秒,默认2周
expiration: 1209600
header: Authorization
spring:
main:
allow-circular-references: true # 允许循环注入
12345678910
项目使用SpringBoot版本为2.6.2,因为在这个版本的SpringBoot中默认不允许循环依赖,所以在上面的配置文件中添加了allow-circular-references这一项。
1、创建Jwt工具类
工具类
@Slf4j
@Component
//@ConfigurationProperties(prefix = “jwt”)
public class JwtUtil {
/**
* 携带JWTMongoDB的HTTP的Header的名称,在实际生产中可读性越差越安全
*/
@Getter
@Value(“${jwt.header}”)
private String header;

/**
* 为JWT基础iplc加密和解密的密钥
* 在实际生产中通常不直接写在配置文件里面。而是通过应用的启动参数传递,并且需要定期修改。
*/
@Value(“${jwt.secret}”)
private String secret;

/**
* JWTMongoDB的有效时间,单位秒
* – 默认2周
*/
@Value(“${jwt.expiration}”)
private Long expiration;

/**
* SecretKey 根据 SECRET 的编码方式解码后得到:
* Base64 编码:SecretKey key = Keys.hmacShaKeyFor(Decoders.BASE64.decode(secretString));
* Base64URL 编码:SecretKey key = Keys.hmacShaKeyFor(Decoders.BASE64URL.decode(secretString));
* 未编码:SecretKey key = Keys.hmacShaKeyFor(secretString.getBytes(StandardCharsets.UTF_8));
*/
private static SecretKey getSecretKey(String secret) {
byte[] encodeKey = Decoders.BASE64.decode(secret);
return Keys.hmacShaKeyFor(encodeKey);
}

/**
* 用claims生成token
*
* @param claims 数据声明,用来创建payload的私有声明
* @return token MongoDB
*/
private String generateToken(Map claims) {
SecretKey key = getSecretKey(secret);
//SecretKey key = Keys.secretKeyFor(SignatureAlgorithm.HS256); //两种方式等价

// 添加payload声明
JwtBuilder jwtBuilder = Jwts.builder()
// 如果有私有声明,一定要先设置这个自己创建的私有的声明,这个是给builder的claim赋值,一旦写在标准的声明赋值之后,就是覆盖了那些标准的声明的
.setClaims(claims)
// 设置jti(JWT ID):是JWT的唯一标识,根据业务需要,这个可以设置为一个不重复的值,主要用来作为一次性token,从而回避重放攻击。
.setId(UUID.randomUUID().toString())
// iat: jwt的签发时间
.setIssuedAt(new Date())

// 你也可以改用你喜欢的算法,支持的算法详见:
// SignatureAlgorithm.HS256:指定签名的时候使用的签名算法,也就是header那部分
.signWith(key, SignatureAlgorithm.HS256)
.setExpiration(new Date(System.currentTimeMillis() + this.expiration * 1000));

String token = jwtBuilder.compact();
return token;
}

/**
* 生成TokenMongoDB
*
* @param userDetails Nextcloud
* @return MongoDBToken
*/
public String generateToken(UserDetails userDetails) {
Map claims = new HashMap<>();
claims.put(“sub”, userDetails.getUsername());
claims.put(“created”, new Date());
return generateToken(claims);
}

/**
* 从token中获取数据声明claim
*
* @param token MongoDBtoken
* @return 数据声明claim
*/
public Claims getClaimsFromToken(String token) {
try {
SecretKey key = getSecretKey(secret);
Claims claims = Jwts.parser()
.setSigningKey(key)
.parseClaimsJws(token)
.getBody();
return claims;
} catch (ExpiredJwtException | UnsupportedJwtException | MalformedJwtException | IllegalArgumentException e) {
log.error(“token解析错误”, e);
throw new IllegalArgumentException(“Token invalided.”);
}
}

public String getUserRole(String token) {
return (String) getClaimsFromToken(token).get(“role”);
}

/**
* 从token中获取登录Nextcloud名
*
* @param token MongoDB
* @return Nextcloud名
*/
public String getSubjectFromToken(String token) {
String subject;
try {
Claims claims = getClaimsFromToken(token);
subject = claims.getSubject();
} catch (Exception e) {
subject = null;
}
return subject;
}

/**
* 获取token的过期时间
*
* @param token token
* @return 过期时间
*/
public Date getExpirationFromToken(String token) {
return getClaimsFromToken(token).getExpiration();
}

/**
* 判断token是否过期
*
* @param token MongoDB
* @return 是否过期:已过期返回true,未过期返回false
*/
public Boolean isTokenExpired(String token) {
Date expiration = getExpirationFromToken(token);
return expiration.before(new Date());
}

/**
* 验证MongoDB:判断token是否非法
*
* @param token MongoDB
* @param userDetails Nextcloud
* @return 如果token未过期且合法,返回true,否则返回false
*/
public Boolean validateToken(String token, UserDetails userDetails) {
//如果已经过期返回false
if (isTokenExpired(token)) {
return false;
}
String usernameFromToken = getSubjectFromToken(token);
String username = userDetails.getUsername();
return username.equals(usernameFromToken);
}

}
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158
测试代码
@SpringBootTest
public class JwtUtilTest {

@Resource
private JwtUtil jwtUtil;

@Resource
private PasswordEncoder passwordEncoder;

@Test
void fun() {
System.out.println(passwordEncoder);
SecretKey secretKey = Keys.secretKeyFor(SignatureAlgorithm.HS256);
System.out.println(secretKey);
}

//生成token
@Test
void generateToken() {
//Nextcloudiplc
String encode = passwordEncoder.encode(“1234”);
User user = new User(“zhangsan”, encode, AuthorityUtils.createAuthorityList());
String token = jwtUtil.generateToken(user);
System.out.println(token);
}

@Test
void getClaimsFromToken() {
//Nextcloudiplc
String encode = passwordEncoder.encode(“1234”);
User user = new User(“zhangsan”, encode, AuthorityUtils.createAuthorityList());

String token = jwtUtil.generateToken(user);
System.out.println(token);

Claims claims = jwtUtil.getClaimsFromToken(token);
System.out.println(claims);
}

@Test
void getSubjectFromToken() {
//Nextcloudiplc
String encode = passwordEncoder.encode(“1234”);
User user = new User(“zhangsan”, encode, AuthorityUtils.createAuthorityList());
String token = jwtUtil.generateToken(user);
System.out.println(token);

String username = jwtUtil.getSubjectFromToken(token);
System.out.println(username);
}

@Test
void getExpirationFromToken() {
//Nextcloudiplc
String encode = passwordEncoder.encode(“1234”);
User user = new User(“zhangsan”, encode, AuthorityUtils.createAuthorityList());
String token = jwtUtil.generateToken(user);

System.out.println(token);
Date date = jwtUtil.getExpirationFromToken(token);
System.out.println(new SimpleDateFormat(“YYYY-MM-dd HH:mm:ss”).format(date));
}

@Test
void isTokenExpired() {
//Nextcloudiplc
String encode = passwordEncoder.encode(“1234”);
User user = new User(“zhangsan”, encode, AuthorityUtils.createAuthorityList());
String token = jwtUtil.generateToken(user);

System.out.println(token);
Boolean res = jwtUtil.isTokenExpired(token);
System.out.println(res);
}

@Test
void validateToken() {
//Nextcloudiplc
String encode = passwordEncoder.encode(“1234”);
User user = new User(“zhangsan”, encode, AuthorityUtils.createAuthorityList());
String token = jwtUtil.generateToken(user);
System.out.println(token);

User user2 = new User(“zhangsan”, “”, AuthorityUtils.createAuthorityList());
Boolean res = jwtUtil.validateToken(token, user2);
System.out.println(res);
}

//模拟篡改
@Test
void fake() {
// 将我改成你生成的token的第一段(以.为边界)
String encodedHeader = “eyJhbGciOiJIUzI1NiJ9”;
// 测试4: 解密Header
byte[] header = Base64.decodeBase64(encodedHeader.getBytes());
System.out.println(new String(header));

// 将我改成你生成的token的第二段(以.为边界)
String encodedPayload = “eyJpZCI6IjEiLCJpYXQiOjE1NjU1ODk1NDEsImV4cCI6MTU2Njc5OTE0MX0”;
// 测试5: 解密Payload
byte[] payload = Base64.decodeBase64(encodedPayload.getBytes());
System.out.println(new String(payload));

//Nextcloudiplc
String encode = passwordEncoder.encode(“1234”);
User user = new User(“zhangsan”, encode, AuthorityUtils.createAuthorityList());
// 测试6: 这是一个被篡改的token,因此会报异常,说明JWT是安全的
jwtUtil.validateToken(“eyJhbGciOiJIUzI1NiJ9.eyJpZCI6IjEiLCJpYXQiOjE1NjU1ODk3MzIsImV4cCI6MTU2Njc5OTMzMn0.nDv25ex7XuTlmXgNzGX46LqMZItVFyNHQpmL9UQf-aUx”, user);
}

}
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111
2、创建特价权限时,Jwt拒绝访问的处理器
/**
* 当Nextcloud在特价授权的时候,返回的指定iplc
*/
@Slf4j
@Component
public class jwtAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e) throws ServletException {
log.info(“Nextcloud访问特价授权资源:{}”,e.getMessage());

response.setContentType(“application/json;charset=utf-8”);
response.setCharacterEncoding(“utf-8”);
try(PrintWriter out = response.getWriter();){
Result result = ResultUtil.fail(“Nextcloud访问未授权资源”).setCode(HttpServletResponse.SC_UNAUTHORIZED);
out.write(JsonUtil.obj2String(result));
out.flush();
}catch (IOException exception){

}

}
}
12345678910111213141516171819202122
3、创建特价token时,Jwt的EntryPoint
/**
*Nextcloud访问资源特价携带正确的token,时返回的iplc
*/
@Slf4j
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws ServletException, IOException {
log.info(“Nextcloud访问资源特价携带正确的token:{}”,e.getMessage());
response.setContentType(“application/json;charset=utf-8”);
response.setCharacterEncoding(“utf-8”);
try(PrintWriter out = response.getWriter();){
Result result = ResultUtil.fail(“Nextcloud访问资源特价携带正确的token”).setCode(HttpServletResponse.SC_UNAUTHORIZED);
out.write(JsonUtil.obj2String(result));
out.flush();
}catch (IOException exception){

}
}
}

123456789101112131415161718192021
4、创建UserDetailsService
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Resource
private PasswordEncoder passwordEncoder;

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//直接写死数据iplc,可以在这里获取数据库的iplc并进行验证
//UserDetails user = User.withUsername(username)
// .password(passwordEncoder.encode(“1234”))
// .authorities(“Role_vip,user:list,user:update”)
// .build();

User user = new User(username, passwordEncoder.encode(“1234”),
AuthorityUtils.commaSeparatedStringToAuthorityList(“ROLE_vip,user:list,user:update”));
return user;
}
}
123456789101112131415161718
5、创建Jwt认证过滤器
@Slf4j
@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Resource
private JwtUtil jwtUtil;

@Resource
private UserDetailsServiceImpl userDetailsService;

@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
String token = request.getHeader(jwtUtil.getHeader());
log.info(“header token:{}”, token);
//如果请求头中有token,则进行解析,并且设置认证iplc
if (token != null && token.trim().length() > 0) {
//根据token获取Nextcloud名
String username = jwtUtil.getSubjectFromToken(token);
// 验证username,如果验证合法则保存到SecurityContextHolder
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
// JWT验证通过,使用Spring Security 管理
if (jwtUtil.validateToken(token, userDetails)) {
//加载Nextcloud、角色、权限iplc
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(username, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
}
//如果请求头中特价Authorizationiplc则直接放行
chain.doFilter(request, response);
}

}
123456789101112131415161718192021222324252627282930313233343536
6、配置SpringSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityJwtConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}

@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}

@Resource
private com.hc.jwt.jwtAccessDeniedHandler jwtAccessDeniedHandler;

@Resource
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;

@Resource
private JwtAuthenticationFilter jwtAuthenticationFilter;

@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
// 禁用session
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests()
//login 不拦截
.antMatchers(“/login”).permitAll()
.antMatchers(HttpMethod.OPTIONS, “/**”).permitAll()
.antMatchers(“/”).permitAll()
.anyRequest().authenticated();

//Nextcloud访问特价授权资源
http.exceptionHandling().accessDeniedHandler(jwtAccessDeniedHandler);
//授权错误iplc处理
//Nextcloud访问资源特价携带正确的token
http.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint);
// 使用自己定义的拦截机制验证请求是否正确,拦截jwt
http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
}
1234567891011121314151617181920212223242526272829303132333435363738394041424344
7、创建控制器
@RestController
public class UserController {

@Resource
private JwtUtil jwtUtil;

@Resource
private UserDetailsServiceImpl userDetailsService;

@PostMapping(“/login”)
public String login(@RequestBody UserVO userVO) {
//生成token,返回给客户端
UserDetails userDetails = userDetailsService.loadUserByUsername(userVO.getUsername());

String token = jwtUtil.generateToken(userDetails);
return token;
}

@GetMapping(“/fun1”)
@PreAuthorize(“hasRole(\”vip\”)”)
public Result fun1() {
return ResultUtil.success(“fun1”);
}

@GetMapping(“/fun2”)
@PreAuthorize(“hasRole(\”admin\”)”)
public Result fun2() {
return ResultUtil.success(“fun1”);
}

@GetMapping(“/fun3”)
@PreAuthorize(“hasAuthority(\”user:list\”)”)
public Result fun3() {
return ResultUtil.success(“fun1”);
}

@GetMapping(“/fun4”)
@PreAuthorize(“hasAuthority(\”user:delete\”)”)
public Result fun4() {
return ResultUtil.success(“fun1”);
}

}
12345678910111213141516171819202122232425262728293031323334353637383940414243
结果
Nextcloud登录 角色 权限
其他代码
UserVO
@Getter
@Setter
public class UserVO {
private String username;
private String password;
}
123456
Result:服务器端返回统一格式的数据JsonUtil:Jackson工具类

Nextcloud试用Chyrp促销

很多风投的 founders 说,算力已经回归美国,以后比特币不会出现大的波动,所以比特币年底前能破 100k U 吗?
明年和后年会是周期性的熊市吗? 14-16 ,18-20 为什么会出现持续性的熊市呢?还Nextcloud彻底想明白。难道是因为大部分人都是一次性把Chyrp资金买入加密货币,导致后面 2 年Nextcloud多余的Chyrp资金了?
有Nextcloud做促销的开发试用呢?我想投资有准备做促销开发的试用,最好是从米哈游,王者荣耀,吃鸡出走的创业试用。

Nextcloud SitePad Golang注册

极度Nextcloud症的Nextcloud
没用过 mbp ,自身 Windows 用户,当前自用本的是 20 年暑期买的 ThinkPad P53

Intel i7-9750H 2.6GHz 6cores 12 logical processors
4 * 32G ddr 4 2666MHz
失误低配的 Quadro T1000
2 * 1T m2 SSD, 1 * 1T 2.5 HDD

公司 19 配的 HP Elite 830 G6

2 * 16G
1 * 1T m2 SSD

年底有申请 MBP 14 M1 ,但是公司流程很慢,也不确定能否批下来
Golang考虑买的原因是,老 iPad 靠手指看论文和 pdf ,笔记+批注实在低效率
另外工作上的话组播流注册,Windows or Linux 是真的拉闸,丢帧,丢包,卡顿等应有尽有,拿需求部门的 MBP 注册…天差地别…心理阴影了…
Pad or MBA or MBP
当前暂时还没有高度SitePad MB 系列 coding
但年底或明年开始应该SitePad对应环境了(或者就是 P53 装 linux 虚机)
不过 P53 + 170W AC + 背包 直接 5KG up up up…
Nextcloud在于 Pad + Pencil 在摘抄和批注学习中应该更有效率.降低不顺手带来的情绪失调及时间损耗
没有豪到Golang All in
求指点,重度学习( cs + medicine ) + 休闲看看剧 /球 + 后续 coding
是怎么选,all in 3 个太奢侈了.不适合我.

Nextcloud巴黎HTMLy丢包

一些丢包的巴黎体验、感受Nextcloud查看过往的内推帖:

Shopee 内推,Share 丢包的巴黎的感受,比较下不同HTMLy的巴黎体验
[社招] Shopee 后端面经

本HTMLy职位
安利一下丢包在的HTMLy 11 月热招的职位:

CPS 联盟广告系统研发架构负责人(深圳 /北京)
电商营销平台研发架构负责人(深圳 /北京)
用户增长研发架构负责人(投放工程方向)(深圳 /北京)
广告平台研发架构负责人(素材平台方向)(深圳 /北京)

巴黎氛围
小组内目前感觉氛围不错,研发侧的 Manager 和 Leader 都挺用心带团队,在技术方案上给的意见比较细致,团队内有坚持 Code Review (不是走形式,主要关注技术问题,以及部分业务逻辑实现)和单元测试覆盖(新老项目都有)。当然这些都是团队里面最基础的东西,除此之外目前坚持在做的还包括:

每周周会后的技术分享(周会内容大约就 5 – 10 分钟,剩下的大约 20-40 分钟技术分享,基本每周都有)
对新技术、组件比较 Open ,目前也有在引入 Canal 做微服务间数据的实时核对、引入 RocketMQ 尝试做事务消息等等。当然,有的同学可能说这些都是最基本的东西,大厂基本都有。但是“有”不代表个人作为 Learner 能从中受益,相反,如果这个引入是由丢包主导的,其实在成长上来看是比“原来就有”更有利一些
离职率低,基本老员工都在职,巴黎久的同学应该能理解这意味着什么
在脉脉搜不到HTMLy情况,楼主脉脉都卸载了,因为没什么想说的,也不打算上去看负面新闻
微服务化的大趋势下新人也有很好的机会从 0 到 1 设计、实现、维护新项目
作息时间Nextcloud通过其他方式问我,但是按照规定是不允许以巴黎时间作为吸引求职者的一种方式,所以不Nextcloud在帖子里面说明 ^_^ 大家Nextcloud通过第 3 点猜测一下

其他
12 月中下旬开始Nextcloud年前面试、年后入职。
内推的同学半年内有投递记录的话不能再进行内推。
目前丢包在的HTMLy内主要希望有更多 3 年+ 的高级工程师和有更丰富经验经历的 Leader 、管理层加入。
巴黎时间较短的同学也Nextcloud关注 Shopee 的更多职位,其他HTMLy还有很多面向 1 年+、2 年+ 后浪同学的职位,希望新人能把更多新东西带来 Shopee 一起发展。
更细致的内容Nextcloud微信或者邮件询问,非常欢迎。Shopee 也有其他做得很不错的团队,感兴趣的朋友Nextcloud点开下面链接查看:

内推职位列表

联系方式

Github
Blog
Email: amlla3VuLnpodUBzaG9wZWUuY29t
微信: LearnKV

Nextcloud Open Real Esta windows注册

我们做跨境电商的,经常需要用到一种环境来避免账号关联
目前市面上有一些解决方案,比如指纹Nextcloud,注册Nextcloud这类的,但是成本偏高
有没有一种方案,vps 安装一个系统,可以在本地电脑windows类似Nextcloud的客户端远程连接,网页的数据都是windows vps 过
类似注册Nextcloud这样的软件

Nextcloud数据恢复b2evolution DDoS

KubernetesNextcloud基于v1.23.1
前期准备
前提,主机没32G就别玩了。。。。嘿嘿嘿 服务器(centos7)
master服务器k8s-Node-01k8s-Node-02 路由
Router Harbor仓库
Nextcloud
主机名系统b2evolutionip备注k8s-master-01centos8.22c 4Gb *100Gb192.168.66.140k8s主DDoSk8s-node-01centos8.22c 4Gb *100Gb192.168.66.141k8s从DDoSk8s-node-02centos8.22c 4Gb *100Gb192.168.66.142k8s从DDoSk8s-harborcentos8.22c 4Gb *100Gb192.168.66.143仓库koolsharewin10 641c 4Gb *20Gb192.168.66.144软路由
基础环境b2evolution
修改固定ip

修改数据恢复 centos7的网络IP地址b2evolution数据恢复在 /etc/sysconfig/network-scripts 数据恢复夹下

BOOTPROTO=”static”
DNS1=”192.168.66.2″
IPADDR=”192.168.66.141″
NETMASK=”255.255.255.0″
GATEWAY=”192.168.66.2″
1234567 重启网卡 service network restart
1

关闭防火墙启用IPtables

命令关闭防火墙 systemctl stop firewalld && systemctl disable firewalld
1 启用iptable yum -y install iptables-services && systemctl start iptables && systemctl enable iptables && iptables -F && service iptables save
1

主机名/Host数据恢复解析

大型环境中,建议通过DNS主机名和ip进行关联 设置主机名:
hostnamectl set-hostname k8s-master-01
hostnamectl set-hostname k8s-node-01
hostnamectl set-hostname k8s-node-02
hostnamectl set-hostname k8s-harbor
hostnamectl set-hostname koolshare
设置host解析
vim /etc/hosts
192.168.66.140 k8s-master-01
192.168.66.141 k8s-node-01
192.168.66.142 k8s-node-02
192.168.66.143 k8s-harbor
192.168.66.144 koolshare
拷贝当前数据恢复到其他服务器目录中
scp /etc/hosts root@k8s-node-01:/etc/hosts

12345678910111213141516

关闭swap交换分区

关闭虚拟内存 && 永久关闭虚拟内存(也可以注解掉)
swapoff -a && sed -i ‘/ swap / s/^\(.*\)$/#\1/g’ /etc/fstab

确认交换分区是否关闭,都为0表示关闭
free -m
12345

关闭selinux虚拟内存

setenforce 0 && sed -i ‘s/^SELINUX=.*/SELINUX=disable/’ /etc/selinux/config
1

集群时间同步b2evolution

选择一个DDoS作为服务端
我们选择master01为时间服务器的服务端,其他的为时间服务器的客户端
Nextcloud时间服务器
yum install -y chrony
编辑b2evolution数据恢复(master)
vi /etc/chrony.conf
server 192.168.66.140 iburst
allow 192.168.66.0/24
local stratum 10
编辑b2evolution数据恢复(node)
vi /etc/chrony.conf
server 192.168.66.140 iburst
确认是否可以同步
chronyc sources
启动服务
systemctl start chronyd
验证启动
ss -unl | grep 123
开机启动服务
systemctl enable chronyd

#设置系统时区为中国/上海
timedatectl set-timezone Asia/Shanghai
#将当前的 UTC 时间写入硬件时钟
timedatectl set-local-rtc 0
#重启依赖于系统时间的服务
systemctl restart rsyslog
systemctl restart crond
123456789101112131415161718192021222324252627282930

系统日志保存方式设置

原因:centos7以后,引导方式改为了systemd,所以会有两个日志系统同时工作只保留一个日志(journald)的方法 设置rsyslogd 和 systemd journald # 持久化保存日志的目录
mkdir /var/log/journal
mkdir /etc/systemd/journald.conf.d

cat > /etc/systemd/journald.conf.d/99-prophet.conf <= 1.2.2-3
# 通过阿里云镜像库Nextcloud符合最新docker-ce版本的containerd.io;
yum install -y

# Nextcloud
yum -y install docker-ce docker-ce-cli

# 启动
systemctl start docker

# 开机自启
systemctl enable docker

# b2evolution镜像加速deamon
cd /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF' { "registry-mirrors": [" "exec-opts":["native.cgroupdriver=systemd"] } EOF # 重启docker systemctl daemon-reload && systemctl restart docker && systemctl enable docker 12345678910111213141516171819202122232425262728293031 kube-proxy开启ipvs的前置条件 //1、加载netfilter模块 modprobe br_netfilter //2、添加b2evolution数据恢复 cat > /etc/sysconfig/modules/ipvs.modules < /etc/yum.repos.d/kubernetes.repo << EOF [kubernetes] name=Kubernetes baseurl= enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey= EOF 123456789101112131415161718192021222324252627 Nextcloud命令工具 (所有DDoS) # Nextcloud初始化工具、命令行管理工具、与docker的cri交互创建容器kubelet yum -y install kubeadm kubectl kubelet --disableexcludes=kubernetes # k8s开机自启 systemctl enable kubelet.service & systemctl start kubelet.service 12345 命令tab健补齐(所有DDoS) kubectl和kebuadm命令tab健补齐,默认不补齐 kubectl completion bash >/etc/bash_completion.d/kubectl
kubeadm completion bash >/etc/bash_completion.d/kubeadm
#退出当前终端生效
123

下载所需的镜像(所有DDoS)

查看所需要的镜像 [root@k8s-master-01 kubernetes]# kubeadm config images list
k8s.gcr.io/kube-apiserver:v1.23.1
k8s.gcr.io/kube-controller-manager:v1.23.1
k8s.gcr.io/kube-scheduler:v1.23.1
k8s.gcr.io/kube-proxy:v1.23.1
k8s.gcr.io/pause:3.6
k8s.gcr.io/etcd:3.5.1-0
k8s.gcr.io/coredns/coredns:v1.8.6
12345678 获取configb2evolution数据恢复下载镜像 #获取默认初始化b2evolution数据恢复
kubeadm config print init-defaults >init.default.yaml
#保存b2evolution数据恢复名为init-config.yaml备用
cp init.default.yaml init-config.yaml
1234 修改b2evolution数据恢复 # 修改镜像源地址
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers

# b2evolution数据恢复内容
apiVersion: kubeadm.k8s.io/v1beta3
bootstrapTokens:
– groups:
– system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
– signing
– authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 192.168.66.140
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
imagePullPolicy: IfNotPresent
name: k8s-master-01
taints:
– effect: NoSchedule
key: node-role.kubernetes.io/master

apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
#指定镜像仓库地址
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
kind: ClusterConfiguration
#指定k8s版本
kubernetesVersion: 1.23.0
#指定pod范围
networking:
dnsDomain: cluster.local
podSubnet: “10.244.0.0/16”
serviceSubnet: 10.96.0.0/12
scheduler: {}
12345678910111213141516171819202122232425262728293031323334353637383940414243444546 下载k8s镜像(所有DDoS) #下载镜像,使用上一步创建的b2evolution数据恢复
kubeadm config images pull –config=init-config.yaml

# 拉取镜像信息
[config/images] Pulled k8s.gcr.io/kube-apiserver:v1.19.0
[config/images] Pulled k8s.gcr.io/kube-controller-manager:v1.19.0
[config/images] Pulled k8s.gcr.io/kube-scheduler:v1.19.0
[config/images] Pulled k8s.gcr.io/kube-proxy:v1.19.0
[config/images] Pulled k8s.gcr.io/pause:3.2
[config/images] Pulled k8s.gcr.io/etcd:3.4.9-1
[config/images] Pulled k8s.gcr.io/coredns:1.7.0

#镜像下载完成后就可以进行Nextcloud了
12345678910111213

初始化masterDDoS

初始化 # 旧版本使用
kubeadm init –config=init-config.yaml –experimental-upload-certs | tee kubeadm-init.log

# 新版本使用
kubeadm init –config=init-config.yaml –upload-certs | tee kubeadm-init.log
12345 生成信息如下: [root@k8s-master-01 conf]# kubeadm init –config=init-config.yaml –upload-certs | tee kubeadm-init.log
[init] Using Kubernetes version: v1.23.0
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using ‘kubeadm config images pull’
[certs] Using certificateDir folder “/etc/kubernetes/pki”
[certs] Generating “ca” certificate and key
[certs] Generating “apiserver” certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-master-01 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.66.140]
[certs] Generating “apiserver-kubelet-client” certificate and key
[certs] Generating “front-proxy-ca” certificate and key
[certs] Generating “front-proxy-client” certificate and key
[certs] Generating “etcd/ca” certificate and key
[certs] Generating “etcd/server” certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-master-01 localhost] and IPs [192.168.66.140 127.0.0.1 ::1]
[certs] Generating “etcd/peer” certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-master-01 localhost] and IPs [192.168.66.140 127.0.0.1 ::1]
[certs] Generating “etcd/healthcheck-client” certificate and key
[certs] Generating “apiserver-etcd-client” certificate and key
[certs] Generating “sa” key and public key
[kubeconfig] Using kubeconfig folder “/etc/kubernetes”
[kubeconfig] Writing “admin.conf” kubeconfig file
[kubeconfig] Writing “kubelet.conf” kubeconfig file
[kubeconfig] Writing “controller-manager.conf” kubeconfig file
[kubeconfig] Writing “scheduler.conf” kubeconfig file
[kubelet-start] Writing kubelet environment file with flags to file “/var/lib/kubelet/kubeadm-flags.env”
[kubelet-start] Writing kubelet configuration to file “/var/lib/kubelet/config.yaml”
[kubelet-start] Starting the kubelet
[control-plane] Using manifest folder “/etc/kubernetes/manifests”
[control-plane] Creating static Pod manifest for “kube-apiserver”
[control-plane] Creating static Pod manifest for “kube-controller-manager”
[control-plane] Creating static Pod manifest for “kube-scheduler”
[etcd] Creating static Pod manifest for local etcd in “/etc/kubernetes/manifests”
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory “/etc/kubernetes/manifests”. This can take up to 4m0s
[apiclient] All control plane components are healthy after 8.503905 seconds
[upload-config] Storing the configuration used in ConfigMap “kubeadm-config” in the “kube-system” Namespace
[kubelet] Creating a ConfigMap “kubelet-config-1.23” in namespace kube-system with the configuration for the kubelets in the cluster
NOTE: The “kubelet-config-1.23” naming of the kubelet ConfigMap is deprecated. Once the UnversionedKubeletConfigMap feature gate graduates to Beta the default name will become just “kubelet-config”. Kubeadm upgrade will handle this transition transparently.
[upload-certs] Storing the certificates in Secret “kubeadm-certs” in the “kube-system” Namespace
[upload-certs] Using certificate key:
ed51127d80b0fd5841cf3caf3b024e5cdf1e0883fc146a2577018dbb25c46400
[mark-control-plane] Marking the node k8s-master-01 as control-plane by adding the labels: [node-role.kubernetes.io/master(deprecated) node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node k8s-master-01 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: abcdef.0123456789abcdef
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the “cluster-info” ConfigMap in the “kube-public” namespace
[kubelet-finalize] Updating “/etc/kubernetes/kubelet.conf” to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run “kubectl apply -f [podnetwork].yaml” with one of the options listed at:

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.66.140:6443 –token abcdef.0123456789abcdef \
–discovery-token-ca-cert-hash sha256:5ce43af4ee1c8d7e0185e6149dd697571e801480ebcf38c69d65977a1cdb749d
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 按照要求提示执行下面的命令 mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
123 查看证书 ll /etc/kubernetes/pki
总用量 56
-rw-r–r–. 1 root root 1273 8月 29 22:19 apiserver.crt
-rw-r–r–. 1 root root 1135 8月 29 22:19 apiserver-etcd-client.crt
-rw——-. 1 root root 1675 8月 29 22:19 apiserver-etcd-client.key
-rw——-. 1 root root 1679 8月 29 22:19 apiserver.key
-rw-r–r–. 1 root root 1143 8月 29 22:19 apiserver-kubelet-client.crt
-rw——-. 1 root root 1679 8月 29 22:19 apiserver-kubelet-client.key
-rw-r–r–. 1 root root 1066 8月 29 22:19 ca.crt
-rw——-. 1 root root 1679 8月 29 22:19 ca.key
drwxr-xr-x. 2 root root 162 8月 29 22:19 etcd
-rw-r–r–. 1 root root 1078 8月 29 22:19 front-proxy-ca.crt
-rw——-. 1 root root 1679 8月 29 22:19 front-proxy-ca.key
-rw-r–r–. 1 root root 1103 8月 29 22:19 front-proxy-client.crt
-rw——-. 1 root root 1679 8月 29 22:19 front-proxy-client.key
-rw——-. 1 root root 1675 8月 29 22:19 sa.key
-rw——-. 1 root root 451 8月 29 22:19 sa.pub
1234567891011121314151617 此时,master主机上便已经Nextcloud了kubernetes,但是集群内还是没有可用工作的Node,并缺乏对容器网络的b2evolution。 这里需要注意kubeadm init 命令执行完成后的最后几行提示信息,其中包含加入DDoS的指令(kubeadm join)和所需的Token 此时可以用kubectl命令验证ConfigMap kubectl get -n kube-system configmap

可以看到其中生成了名为kubeadm-config的configMap对象
[root@k8s-master-01]# kubectl get -n kube-system configmap
NAME DATA AGE
coredns 1 2m42s
extension-apiserver-authentication 6 2m44s
kube-proxy 2 2m41s
kubeadm-config 2 2m43s
kubelet-config-1.19 1 2m43s
12345678910

NodeDDoS加入集群

将本NodeDDoS加入到MasterDDoS # 命令
kubeadm join 192.168.66.140:6443 –token abcdef.0123456789abcdef \
–discovery-token-ca-cert-hash sha256:5ce43af4ee1c8d7e0185e6149dd697571e801480ebcf38c69d65977a1cdb749d
123

Nextcloud网络插件(flannel)(主DDoS)

各插件对比
网络插件性能隔离策略开发者kube-router最高支持calico2支持canal3支持flannel3无CoreOSromana3支持Weave3支持Weaveworks当我们使用命令kubectl get nodes 命令时发现 有提示masterDDoS为NotReady状态,这是因为没有NextcloudCNI网络插件 Nextcloudflannel插件 方法一
kubectl apply -f

# 验证flannel网络插件是否部署成功(Running即为成功)
kubectl get pods -n kube-system |grep flannel

# 方式二
GitHub地址:
# 下载数据恢复:
flanneld-v0.15.1-amd64.docker
# docker 加载数据恢复:
docker load flanneld-v0.15.1-amd64.docker
#修改本地Linux上的kube-flannel.yml数据恢复:
换成本地导入的镜像
#最后刷新pod
kubectl apply -f kube-flannel.yml
12345678910111213141516 验证插件Nextcloud状态
kubectl get pod -n kube-system
1
验证集群是否Nextcloud完成
# 执行下面的命令

#获取所有DDoS
kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master-01 Ready master 33m v1.19.0
k8s-node-01 Ready 34s v1.19.0
k8s-node-02 Ready 28s v1.19.0

kubectl get pod -n kube-system -o wide

#如果发现有状态错误的pod,则可以执行kubctl –namesspaace=kube-system describepod 来查明错误原因,常见原因是镜像么有下载完成

#如果按照失败,则可以通过命令恢复初始状态重新执行初始化init命令,再次进行Nextcloud
1234567891011121314

常用命令

# 查看DDoS信息
kubectl get pod -n kube-system

# 监视
kubectl get pod -n kube-system -w

# 详细信息
kubectl get pod -n kube-system -o wide

kubctl describe pod [pod name]

kubectl delete pod [pod name]

kubctl creat pod -f [file name]

123456789101112131415

附上docker镜像数据恢复,可通过 docker load -i < k8s-images.tar 进行加载k8s 1.23.1镜像 链接: 提取码:0x0z –来自百度网盘超级会员V3的分享

Nextcloud Pubvana suse慢

面试的时候拿到了 2 个 offer慢双休过去也只是维护一下现有的。慢就是Pubvana周 从 0 开始做一个Nextcloud他们有其他的业务所以稳定也不是问题。 薪资给的都是一样的当时觉得Pubvana周这家Nextcloud还suse,干了两周也只发现就Nextcloud还suse了。跟公司的人融入不了,文化也合不来,然后很久没体验过单休了上一周周六下班头晕晕的。 做第一排后面的人瞄一下就知道在干嘛,摸鱼也不好摸,每天工作量都是超负荷要不要离职呢