2024-Q1-notes

Ubuntu Docker 安装

使用官方脚本安装

 curl -fsSL https://test.docker.com -o test-docker.sh 
sh test-docker.sh

linux 网络参数优化

优化linux内核参数

release="ubuntu"
if [[ ${release} == "centos" ]]; then
    yum makecache
    yum install epel-release -y

    yum update -y
else
    apt update
    apt dist-upgrade -y
    apt autoremove --purge -y
fi

OUT_ALERT "[信息] 正在安装 haveged 增强性能中！"
if [[ ${release} == "centos" ]]; then
    yum install haveged -y
else
    apt install haveged -y
fi

OUT_ALERT "[信息] 正在配置 haveged 增强性能中！"
systemctl disable --now haveged
systemctl enable --now haveged

OUT_ALERT "[信息] 正在优化系统参数中！"
modprobe ip_conntrack
chattr -i /etc/sysctl.conf
cat > /etc/sysctl.conf << EOF
vm.swappiness = 0
fs.file-max = 1024000
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 1024000
net.core.default_qdisc = fq_pie
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.arp_announce = 2
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.tcp_ecn = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_keepalive_time = 10
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 8192
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_congestion_control = bbr
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
EOF
cat > /etc/security/limits.conf << EOF
* soft nofile 512000
* hard nofile 512000
* soft nproc 512000
* hard nproc 512000
root soft nofile 512000
root hard nofile 512000
root soft nproc 512000
root hard nproc 512000
EOF
cat > /etc/systemd/journald.conf <<EOF
[Journal]
SystemMaxUse=384M
SystemMaxFileSize=128M
ForwardToSyslog=no
EOF
sysctl -p

流水线使用jenkins api调用

获取调用jenkins参数

select build_params  from `t_cicd_job_build` where build_url = "http://172.24.1.169:8088/job/be-rc-java/63/";

将参数传给脚本,测试代码

import jenkins


def list_to_str(*args,**kwargs):
  new_dict = {}
  for key,value in kwargs.items():
    print(key,value)
    if isinstance(value,list):
      v = value[0]
      new_dict[key] = v
    new_dict[key] = v  
  return new_dict

server = jenkins.Jenkins('http://172.24.1.169:8088/', username='admin', password='admin@123')
job_name = "be-rc-java"
build_args = ''
parse_args = list_to_str(**build_args)
print(parse_args)
server.build_job(job_name, parse_args)

centos7.9 安装python3.9.18

安装依赖

yum install -y gcc make patch gdbm-devel openssl-devel sqlite-devel readline-devel zlib-devel bzip2-devel ncurses-devel libffi-devel xz-devel python-backports-lzma libbz2-dev sqlite tk-devel  sqlite-devel  readline-devel openssl-devel curl-devel

解压编译python

# python 包下载地址https://www.python.org/ftp/python/3.9.18/Python-3.9.18.tar.xz
# 解压
tar -xvf Python-3.9.18.tar.xz -C /tmp 
# 编译
cd /tmp/Python ; ./configure --enable-optimizations

squid 带认证配置

配置文件示例如下

acl denylist dstdomain "/etc/squid/denylist"
http_access deny denylist
#http_access deny CONNECT denylist

forwarded_for on
reply_header_access Content-Type allow all

http_port 3128
coredump_dir /var/spool/squid
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_users
auth_param basic realm Proxy Authentication Required
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl auth_users proxy_auth proxyuser #允许认证的用户
http_access allow auth_users

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
http_access deny all

借助apache httpasswd 生成账号密码

# ubuntu
apt install apache2-utils
# centos
yum -y install httpd-tools

# 生成用户密码
htpasswd -c /etc/squid/squid_users ops

# 验证用户
/usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_users
# basic_ncsa_auth 如果不存在，可以使用find / 查找一下

配置代理

# shell 客户端
export http_proxy="http://用户名:密码@111.111.44.44:3128"
export https_proxy="http://用户名:密码@111.111.44.44:3128"
curl -x "http://xxxxxxxx:3128" -U "用户名:密码" www.baidu.com

基础镜像dockerfile

java/node/python/nginx

FROM alpine:3.18.5
ARG user=app
ARG group=app

ENV  npm_config_disturl="https://registry.npmmirror.com/mirrors/node" \
     SASS_BINARY_SITE="https://registry.npmmirror.com/mirrors/node-sass" \
     NODE_VERSION=16.19.1 \
     PYTHON_VERSION=3.9.18 \
     PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/jdk/bin:/usr/local/jre/bin:/usr/local/node/bin:/usr/glibc-compat/bin \
     LANG=en_US.UTF-8 \
     LANGUAGE=en_US.UTF-8

RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories \
    && wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://repo.tuzhanai.com/repository/tuzhan-middleware/amd64/os-lib/alpine/sgerrand.rsa.pub \
    && wget -q -O /tmp/glibc-2.35-r1.apk https://repo.tuzhanai.com/repository/tuzhan-middleware/amd64/os-lib/alpine/glibc-2.35-r1.apk \
    && wget -q -O /tmp/glibc-bin-2.35-r1.apk https://repo.tuzhanai.com/repository/tuzhan-middleware/amd64/os-lib/alpine/glibc-bin-2.35-r1.apk \
    && wget -q -O /tmp/glibc-i18n-2.35-r1.apk https://repo.tuzhanai.com/repository/tuzhan-middleware/amd64/os-lib/alpine/glibc-i18n-2.35-r1.apk \
    && wget -q -O /tmp/OpenJDK8U-x64_linux_8u212b04.tar.gz https://repo.tuzhanai.com/repository/tuzhan-middleware/common/env/jdk/OpenJDK8U-x64_linux_8u212b04.tar.gz \
    && wget -q -O /tmp/node-v$NODE_VERSION-linux-x64-musl.tar.xz https://repo.tuzhanai.com/repository/tuzhan-middleware/common/env/node/node-v$NODE_VERSION-linux-x64-musl.tar.xz \
    && wget -q -O /tmp/Python-$PYTHON_VERSION.tar.xz https://repo.tuzhanai.com/repository/tuzhan-middleware/common/env/python/Python-$PYTHON_VERSION.tar.xz \
    && wget -q -O /etc/apk/keys/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
    && apk add --no-cache libc6-compat /tmp/*.apk curl fontconfig ttf-dejavu libstdc++ sqlite-dev sqlite sudo && apk add --no-cache --virtual .build-deps tzdata make g++ gcc \
    && addgroup -g 1000 $group ; adduser $user -D -G $group -u 1000 \
    && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime ; echo "Asia/Shanghai" > /etc/timezone \
    && tar -xvf /tmp/OpenJDK8U-x64_linux_8u212b04.tar.gz -C /usr/local ; ln -sv /usr/local/openjdk-8u212-b04 /usr/local/jdk \
    && mkdir -p /usr/local/node ; tar -xvf /tmp/node-v$NODE_VERSION-linux-x64-musl.tar.xz -C /usr/local/node  --strip-components=1 --no-same-owner \
    && corepack enable pnpm && npm install -g pm2 && pm2 install pm2-logrotate \
    && mkdir -p /usr/src/python ; tar -xvf /tmp/Python-$PYTHON_VERSION.tar.xz -C /usr/src/python --strip-components=1 \ 
    && cd /usr/src/python \
    && ./configure --enable-loadable-sqlite-extensions --enable-optimizations --enable-shared --with-system-expat --without-ensurepip \
    && make \
    && make install \
    && rm -rf /usr/src/python; find /usr/local -depth \( \( -type d -a \( -name test -o -name tests -o -name idle_test \) \) -o \( -type f -a \( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \) \) \) -exec rm -rf '{}' + \
    && apk del --no-network .build-deps ; python3 --version \
    && NGINX_VERSION=1.25.4 PKG_RELEASE=1 NJS_VERSION=0.8.3 \
    && nginxPackages=" nginx=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} " \
    && apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main/" --no-cache $nginxPackages \
    && rm /usr/share/nginx/html/* /etc/nginx/conf.d/default.conf /var/log/nginx/* -f \
    && ln -svnf /usr/glibc-compat/lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 \
    && rm -f /tmp/* \
    && mkdir -p /app /data/logs \
    && echo "${user} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
    && chown $user.$group /app /data/logs \
    && localedef -i en_US -f UTF-8 en_US.UTF-8

k8s

一、副本数修改为0

kubectl patch deploy rp-fe-a-home2b -p '{"spec":{"replicas":0}}' -n rp-uat-env

二、驱逐pod

server="rp-prod-k8s-be-server14";kubectl get pods -n rp-prod-env -o wide | awk "/$server/{print \$1}" | sed -r "s#([^0-9]+)-(.*)#\1#" | while read i ; do kubectl drain $server --pod-selector="app.kubernetes.io/instance=$i" ; done

三、名称空间termining

kubectl get ns  ingress-nginx -o json > ingress-nginx.json

curl -k -H "Content-Type:application/json" -X PUT --data-binary @ingress-nginx.json http://127.0.0.1:8001/api/v1/namespaces/ingress-nginx/finalize

四、pv terminig

kubectl patch pv pv_name -p '{"metadata":{"finalizers":null}}'

五、修改deployment 环境变量的值

kubectl set env deployment/be-obc-normal SW_AGENT_ENABLE=false -n mkcloud-dev

六、批量获取未拉到镜像的POD

namespace="rp-be-test"; kubectl get pods -n ${namespace} | awk '$0 ~ /0\/1/ && $0 ~ /ImagePullBackOff/{print $1}' | while read i ; do kubectl get pods $i -n ${namespace} -o yaml | awk -F'"' '/Back-off/{print $(NF-1)}' >> /tmp/image.txt ; done

nginx

一、限制客户端IP防问频繁

限制客户端IP访问频率
http 配置段

http {
	limit_req_zone $binary_remote_addr zone=ip_zone:10m rate=50r/m;
}

server配置段

server {
	location /  {
		...
		limit_req zone=ip_zone burst=30 nodelay;
		...
	}
}

记录限流的ip

http {
	...
	map $limit_req_status $log_this_request {
        REJECTED 1;
        default  0;
    }
	...
}

server {
	...
	access_log        /var/log/nginx/block_ip.access_log info if=$log_this_request;
}

二、logformat

log_format info '{"@timestamp":"$time_iso8601","host_name":"$hostname","server_ip":"$server_addr","client_ip":"$remote_addr","xff":"$http_x_forwarded_for","domain":"$host","url":"$uri","referer":"$http_referer","args":"$args","upstream_response_time":"$upstream_response_time","request_time":"$request_time","upstream_connect_time":"$upstream_connect_time","upstream_addr":"$upstream_addr","upstream_status":"$upstream_status","upstream_header_time":"$upstream_header_time","upstream_status":"$upstream_status","request_method":"$request_method","status":"$status","size":"$body_bytes_sent","request_length":"$request_length","protocol":"$server_protocol","file_dir":"$request_filename","http_user_agent":"$http_user_agent","block_ip":"$limit_req_status"}';

三、修改remote_addr IP

http {
	...
	set_real_ip_from 100.64.0.0/10;
    set_real_ip_from 172.28.16.0/24;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
	...
}

2024-Q1-notes

2024-Q1-notes

Ubuntu Docker 安装

linux 网络参数优化

流水线使用jenkins api调用

centos7.9 安装python3.9.18

squid 带认证配置

基础镜像dockerfile

k8s

一、副本数修改为0

二、驱逐pod

三、名称空间termining

四、pv terminig

五、修改deployment 环境变量的值

六、批量获取未拉到镜像的POD

nginx

一、限制客户端IP防问频繁

二、logformat

三、修改remote_addr IP

文章目录

评论